

“WELL’s security program is particularly impressive, and security has clearly been a primary focus since the company’s beginning. WELL has made sure to consider the end-to-end data flow process, and they’ve conscientiously deployed all the necessary controls to best address safety, privacy, and potential risk.”
User Data and Privacy
WELL values the trust that our customers place in us to handle their data in a secure, respectful, transparent, and appropriate way. All of your data is hosted on WELL’s servers, housed in on-shore, SOC 2 accredited data centers, and accessed through your web browser (or our application). WELL enables covered entities to automate and communicate with patients in a way that permits compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
As a business associate to covered entities, WELL has adopted measures to ensure that we remain HIPAA compliant as does any business associate we work with. WELL allows our customers to collect PHI in secure conversations over WELL only if terms of use are followed and a business associate agreement is in place.


“Through the establishment and maintenance of a management system aligned to both the ISO 27001 and ISO 27701 standards, WELL has committed to a process that will perpetuate a virtuous cycle of continual improvement within the organization. The dedication and rigor with which WELL operates its management system ensure it will continue to excel as its compliance program grows and evolves.”
Data Security Features
WELL is built with your security in mind.
Secure Messaging
Scanning, identification, and remediation of security vulnerabilities on servers, workstations, network equipment, applications, and all other key assets. We participate in both manual and automated independent third-party penetration testing.
Static Code Scanning
We scan our code base (applying OWASP and SANS security principles) on a quarterly basis at a minimum.
Disaster Recovery
Infrastructure is maintained across two geographically separate availability zones with full technical recovery tests to ensure established recovery timelines can be met.
Intrusion Detection and Web Application Firewall
Firewalls are utilized to restrict access to systems and scan all transmissions into our network.
Real-Time Error Monitoring
Best-in-breed monitoring tools for both performance and security monitoring across our environment.
SOC 2 Accredited Data Centers
WELL’s information systems and technical infrastructure are hosted within world-class, SOC 2 accredited data centers in the United States.
Third-Party Risk Assessments and Audits
Periodic, independent, third-party audits to evaluate and audit our practices against best-in-class security frameworks.
Security Development Lifecycle (SDLC)
Established, secure coding practices with security tooling and automation to ensure a secure software build and deployment.
Scans, Testing, and Patching
Scanning, identification, and remediation of security vulnerabilities on servers, workstations, network equipment, applications, and all other key assets. We participate in both manual and automated independent third-party penetration testing.