Wellthy Trust Center
TRUSTED BY THE WORLD'S LEADING COMPANIES
Learn more about our commitment to security and compliance
FAQs
Member data shared with Wellthy by members is encrypted at-rest via AES-256 and in-transit via TLS 1.2 or higher.
Wellthy manages personal information in accordance with GDPR, including how information is collected, processed, and disclosed.
Wellthy builds its products, programs, and culture around the foundations of HIPAA.
Yes. On an annual basis, a formal, written IT / Security risk assessment is conducted based on relevant frameworks, advisories, or regulatory requirements. Our annual security risk assessment typically follows the National Institute of Standard and Technology (NIST), International Organization for Standardization (ISO), or Health Insurance Portability & Accountability Act (HIPAA) framework to ensure we are reviewing our security posture across the most relevant frameworks.
Yes. Wellthy performs external and internal penetration testing with an accredited third-party at least once per year and after any significant infrastructure or application upgrade or modification. Penetration testing includes network-layer, host-layer, and application-layer penetration testing where applicable
Yes. Our incident response program includes a step-by-step playbook for how to escalate, respond, and recover to platform, security, and privacy incidents. It also includes steps to review and conduct a lessons learned exercise for any incident. We follow strict notification timelines that can be shared upon request, or are otherwise detailed in our agreement with you. Our incident response plan is reviewed and tested annually by leadership.
Yes. Notification can happen via our Intrusion Prevention System / Intrusion Detection System (IPS/IDS) or manually by escalating it to our incident point-of-contact or emailing security@wellthy.com. Upon notification, we at minimum collect the date and time the incident was discovered, how the incident was discovered, contact information of the person making the report (if applicable), the nature of the incident, the equipment / systems that are involved, and the location of the equipment involved to the incident response team.
Yes. Wellthy has a variety of tools in place that log and monitor actions on our website, platform, and devices. Automated tools provide real-time monitoring and notification of suspected wrongdoing and vulnerability exploitation in a range of Wellthy technology aspects including network, production environment, operating systems, potential security breaches via a host and network intrusion detection system, containers, and firewalls.
Wellthy’s systems are implemented to monitor key operational metrics and to notify appropriate personnel when certain operational thresholds are reached. To help prevent and mitigate downtime and program sponsor impact, the monitoring of these key operational metrics is automated. This monitoring includes but is not limited to storage and drive space availability, Central Processing Unit (CPU) and memory utilization, required patches and updates and antivirus alerts.
Reporting a security issue
If you are a security expert or researcher, we appreciate your efforts to keep our customers safe. Please send details of the issue to security@wellthy.com. If you'd like to encrypt your message, please use our PGP public key. We will respond within one business day and assign a point of contact to follow up on the issue.
We take security seriously and are committed to supporting responsible disclosure of any issues you may uncover. We ask that you give our team a chance to research and address a vulnerability before disclosing it publicly.
Please use the User-Agent string wellthyvrpresearcher_yourwellthyusername while testing. Automated scanners or tools may send up to 5 requests per second, provided the specified User-Agent is used.
If you encounter user information that is not your own in the course of your research, please stop and report this activity to our team so we can investigate. Please report to us what information was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. Continuing to access another person’s data may be regarded as evidence of a lack of good faith.
The scope of this program applies to the following systems and services:
Any services not expressly listed above are excluded from scope and are not authorized for testing. This includes non-production versions of the site (i.e. demo or staging instances) and vulnerabilities found in systems from our vendors. If you aren’t sure whether a system is in scope or not, contact us at security@wellthy.com before starting your research.
The following are prohibited and will not be considered in scope for our program:
- Do not attempt to conduct post-exploitation, including modification or destruction of data,
and interruption or degradation of Wellthy services. - Do not attempt to access or modify another user’s account or data. Do not otherwise interfere
with any other users' accounts. - Do not attempt to target Wellthy employees or its customers, including social engineering attacks, phishing attacks or physical attacks.
- Do not perform physical attacks against any Wellthy facility.
- Do not interrupt or degrade our services. Do not attempt to perform brute-force attacks or denial-of-service attacks.
- Do not threaten or try to extort Wellthy. Do not act in bad faith and make ransom requests. You should simply report the vulnerability to us.
Acknowledgements
We would like to thank the following people: