Welli is built with a security-first mindset. We treat your health information with the highest level of care, applying defense-in-depth principles across every layer of our platform — from infrastructure to application code.
Our security program is continuously reviewed and improved to address emerging threats. We follow industry best practices and align with recognized frameworks to ensure your data remains protected at all times.
All data transmitted between your device and Welli is encrypted using TLS 1.3, the latest industry standard for transport security. This ensures that your information cannot be intercepted or tampered with in transit.
Data at rest is encrypted using AES-256, the same encryption standard trusted by governments and financial institutions worldwide. Encryption keys are managed through a secure key management service with automatic rotation.
Welli is hosted on enterprise-grade cloud infrastructure that meets SOC 2, ISO 27001, and other compliance standards. Our systems run in isolated environments with strict network segmentation and firewall rules.
We use automated vulnerability scanning, intrusion detection, and continuous monitoring across our infrastructure. All access to production systems requires multi-factor authentication and is logged for audit purposes.
User accounts are protected with modern authentication protocols, including support for multi-factor authentication. Passwords are hashed using bcrypt with salting, making them resistant to brute-force attacks.
Internally, we follow the principle of least privilege — team members only have access to the systems and data required for their role. All access is reviewed regularly, and permissions are revoked promptly when no longer needed.
Our development practices include code reviews, static analysis, and automated security testing integrated into our CI/CD pipeline. Every change is reviewed before deployment, and we follow secure coding guidelines across the team.
We implement protections against common vulnerabilities including SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and other OWASP Top 10 risks. Row-level security is enforced at the database layer to prevent unauthorized data access.
We maintain a documented incident response plan that is tested and updated regularly. In the event of a security incident, our team follows a structured process for containment, investigation, remediation, and communication.
If a breach affecting your personal data is confirmed, we will notify you and relevant authorities promptly in accordance with applicable laws. We conduct post-incident reviews to identify root causes and prevent recurrence.
We carefully evaluate the security posture of every third-party service and vendor we integrate with. Each vendor must meet our security requirements before being approved, and we conduct periodic reassessments.
Data shared with third parties is limited to what is strictly necessary. We use contractual safeguards, including data processing agreements, to ensure third parties handle your information in accordance with our standards.
We value the security research community and welcome reports of potential vulnerabilities. If you discover a security issue, please report it to security@welli.com. We ask that you give us reasonable time to investigate and resolve the issue before disclosing it publicly.
We are committed to working with researchers in good faith. We will not pursue legal action against individuals who report vulnerabilities responsibly and in accordance with this policy. We aim to acknowledge reports within 48 hours and provide resolution timelines promptly.
While Welli is not a covered entity under HIPAA, we voluntarily implement HIPAA-level protections for all health information shared on our platform. This includes administrative, physical, and technical safeguards.
We comply with applicable data protection regulations including the CCPA for California residents and GDPR for European users. Our security practices are aligned with SOC 2 Type II requirements, and we are continuously working toward formal certification.