Security & Privacy

Password and Credential Storage

Wellcome enforces a password complexity standard. Credentials are stored using a PBKDF function (bcrypt).

Reliability

Uptime

We have uptime of at least 99.9%.

We understand how important it is to be reliable and aspire to an uptime of at least 99.9% and higher.

Offline mode

If the iPad is offline, both employees and visitors should scan the QR code on the poster to check-in. The appropriate visitor type should be selected to ensure the type of check-in is accurately reflected in reports. Email hello@wellcome.me to request a poster

Network and platform security

Data Hosting and Storage

Wellcome’s services and data are hosted by Amazon Web Services (AWS). The facilities are located in Australia (ap-southeast-2).

When your iPad is connected to a network, the data is synced to the Wellcome database automatically. All records are stored in Wellcome’s database. Backups are taken every day. AWS oversees the physical security of these facilities and tightly controls who has access.

Permissions and Authentication

Only authorized employees who require access for their jobs are granted access to customer data. Wellcome is served with constant SSL/TLS encryption and data protection. We use 2-factor authentication (2FA), SAML Single Sign-on (SSO), and strong password policies on GitHub, AWS, Google, and Wellcome, ensuring that we protect all access to the cloud services.

Data Encryption

All customer data sent to or from Wellcome is encrypted while in transit using 256-bit encryption. Our API and platform endpoints are TLS/SSL only. This means we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled.

We transfer all customer data securely using TLS v1.2 and above from the iPad app and Wellcome Admin Portal to the cloud. All requests are routed through CloudFront which acts as a firewall. Our IT infrastructure is 100% cloud-based.

Pentests, Vulnerability Scanning, and Bug Bounty Program

Our security team are always on hand to respond to any security issues raised. Twice every year,we engage third-party security experts to carry out detailed penetration tests on the Wellcome platform and infrastructure.

We proactively seek out and address vulnerabilities and exposures in Wellcome’s code and dependencies via automated tools, peer-review, and penetration tests. Email us at hello@wellcome.me to submit a bug.

Incident Response

Wellcome has a protocol for handling security incidents which include escalation procedures, rapid mitigation, and post mortem within 24 hours of the incident.


Additional Security features

Training

All Wellcome employees have to complete Security and Awareness training annually.

Policies

Wellcome has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees and contractors.

Confidentiality

All employee and contractor contracts include a confidentiality agreement.

PCI Obligations

All payments made to Wellcome go through our partner, Stripe. Details about their security setup and PCI compliance can be found on Stripe’s security page.

Security questions

If you think you may have found a security vulnerability, please get in touch with our security team by contacting us at hello@wellcome.me.

Learn more about Wellcome by reading our Terms of Service and Privacy Policy.

Our infrastructure

Data retention

Wellcome only stores your data while you’re a customer, except for visitor responses to health and safety questionnaires. Visitor responses are sent to Wellcome’s servers where the response is securely stored. Whether an employee or visitor was approved or denied entry by Wellcome’s system is stored on Wellcome’s databases unless deleted.

We only delete or purge data upon explicit request. Customer data is available for download as a CSV file through the Admin Portal data can be anonymized, which removes all personally identifiable information from your Check-in Log, upon request. Wellcome may retain customer data for up to 30 days after the termination of the contract.

Protecting your privacy

Privacy policy

We believe a strict policy to respect the customer data privacy is important. We will never sell your visitor or employee data. The only reason our customer support team will access your account is in the event of an issue that requires real-time access.

Employee privacy

If you choose to ask questions about employee’s health, we keep all responses are kept private. Your team will not have access to responses in any form, whether through the Admin Dashboard, report, or otherwise. Administrators can see if an employee was approved or denied entry based on their responses.

Visitor privacy

Wellome allows you to ask questions about health using the QR code that is scanned. Responses to questions about your visitor’s health via Wellcome are kept private. Your team won’t have access to visitor responses in any form, either through the Admin dashboard, reports or otherwise. To help keep your employees safe, admins can see if a visitor was approved or denied entry based on their responses.

Supporting your compliance needs

We understand the impact that compliance requirements have on your business. That’s why we're committed to providing features that may help you with your compliance strategies, in addition to enhancing our own body of compliance certifications.

Wellcome helps support compliance with the following standards and regulations:

California Consumer Privacy Act (CCPA)

Wellcome complies with the CCPA (California Consumer Privacy Act).  As currently defined in CCPA, Wellcome operates as a Service Provider under CCPA to its customers.

When you visit our website or use our services, we realize you are entrusting us with your information. We are committed to keeping that trust, and that starts with sharing our privacy practices including helping our customers and users understand and exercise their rights under the CCPA.

Please contact us at hello@welcome.me to request any of the following regarding CCPA:

  • Information on how Wellcome is complying with CCPA
  • Our Data Processing Agreement as it pertains to CCPA
  • To review, correct, update, delete or otherwise modify any of your data that may have been collected through Wellcome
  • To unsubscribe from marketing emails

EU General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a set of regulations designed to harmonize data privacy laws across Europe and strengthen privacy regulations for citizens of the European Union. In addition to all organizations within the EU, GDPR also applies to organizations in other countries that offer goods or services to EU citizens.

Wellcome complies with the GDPR. According to the regulation, there are different roles for companies based on how a company interacts with user data. Wellcome is a data processor. This is because we process personal data on behalf of our customers. Our customers are data controllers. As a data processor we have ensured that we are compliant with the GDPR by:

  • Ensuring privacy policy to clearly outlines how we process customers’ data
  • Validating all of our vendors also comply to the GDPR
  • Allowing our customers to request the anonymization of their data

If you have questions about Wellcome’s GDPR compliance, please contact hello@wellcome.me.