Founding Member Launch Special

Lock in the Growth Plan at $77/month

Limited spots available.

Start Free
Get Started

Security and Compliance Statement

Wellovis Inc. is committed to protecting the confidentiality, integrity, and availability of all data stored on our platform, especially personal health information entrusted to us by regulated health professionals, wellness practitioners, and their clients.

Document Version History

Version

Date

Summary of changes

1.0

April 7, 2026

Initial publication — all products covered including Wellovis Connect, Wellovis Hours, Wellovis Hours Supervisor, and Wellovis GO+

1. Regulatory Compliance Framework

Regulation / Framework

Applicability

PHIPA (Ontario)

Personal Health Information Protection Act, 2004 — governs PHI collected, used, and disclosed by health information custodians in Ontario

PIPEDA (Federal)

Personal Information Protection and Electronic Documents Act — governs collection of personal information in commercial activities across Canada

CPPA (Federal — forthcoming)

Consumer Privacy Protection Act — will replace PIPEDA upon proclamation; Wellovis is monitoring and will update practices accordingly

CRPO / CPBAO / COTO / OCSWSSW

Ontario regulatory college requirements for regulated health professionals including supervision logging and record-keeping standards; applicable to mental health colleges (CRPO, CPBAO, COTO, OCSWSSW) and other regulated health profession colleges

PCI-DSS

Payment Card Industry Data Security Standard — compliance maintained via Stripe (PCI-DSS Level 1 certified)

AWS BAA (HIPAA-Eligible Services)

Business Associate Agreement with Amazon Web Services covering HIPAA-eligible services including AWS Bedrock — governs PHI processed via AI features

2. Encryption

2.1 Data in Transit

  • All communications use TLS 1.2 or higher
  • HTTPS enforced across all endpoints — HTTP automatically redirected
  • Video session streams use DTLS/SRTP encryption
  • API communications use TLS with certificate pinning where applicable

2.2 Data at Rest

  • All databases and storage volumes encrypted using AES-256
  • Encryption keys managed through AWS Key Management Service (KMS) with regular rotation
  • Database backups encrypted prior to storage
  • Stripe tokenizes all payment card data — Wellovis stores only the last 4 digits and card expiry
  • On-device data in GO+ uses device hardware-level encryption

2. Access Controls

3.1 Subscriber-Level Controls

  • Role-based access control (RBAC): Practitioners, Administrators, Supervisors, and Students each have differentiated permission sets
  • Each Subscriber account has a unique, account-specific login URL not discoverable from the main website
  • Multi-factor authentication (MFA) supported and recommended for all accounts
  • Automatic session timeout after configurable period of inactivity
  • Administrators can restrict chart, billing, and scheduling access on a per-user basis

3.2 Wellovis Internal Access

  • Production system access restricted to authorized personnel only
  • All staff with potential access to PHI required to sign confidentiality agreements
  • Staff access to Protected Content logged and auditable
  • Production access uses MFA and privileged access management (PAM) controls

4. Audit Logging

Every user action within a Subscriber account is recorded including chart access, edits, note creation, billing changes, and login events. Logs are linked to specific user accounts, retained securely, and tamper-evident. Account owners and administrators can access activity logs filtered by user, date, and action type. This supports compliance with PHIPA accountability obligations and regulatory college auditing requirements.

5. Backup and Business Continuity

  • Automated encrypted backups run daily, with weekly and monthly snapshots retained
  • Backups stored across multiple AWS availability zones for geographic redundancy
  • Recovery Time Objective (RTO): 4 hours for critical systems (target, subject to validation through periodic testing)
  • Recovery Point Objective (RPO): 24 hours (daily backup cycle)
  • Disaster recovery procedures tested on a regular basis
  • Subscribers can export their data at any time from within the platform

6. Vulnerability Management

  • Regular vulnerability assessments of platform and infrastructure
  • Third-party penetration testing performed periodically
  • Security patches applied on a risk-prioritized basis
  • Dependencies audited for known vulnerabilities (CVE monitoring)
  • Development practices follow secure coding guidelines (OWASP Top 10)

7. AI Security — AWS Bedrock

  • All AI inference routed through AWS Bedrock within Canadian AWS region (ca-central-1)
  • PHI transmitted to Bedrock subject to TLS 1.2+ encryption
  • No PHI cached, logged, or stored by Anthropic — Bedrock API requests are stateless
  • Anthropic does not use API data to train or improve its models
  • AI feature usage captured in Subscriber audit logs
  • AI features are access-controlled — only authorized Subscribers can invoke AI tools

8. Incident Response

Wellovis maintains a documented Security Incident Response Plan (SIRP). Security incidents are detected through monitoring systems and triaged within 24 hours. In the event of a confirmed breach involving PHI, Wellovis will notify affected Subscribers without undue delay and no later than 72 hours of confirmed discovery, in accordance with PHIPA. Post-incident reviews are conducted to identify root cause and implement corrective measures.

To report a security concern or suspected breach: privacy@wellovis.com

9. Third-Party Vendor Security

Vendor

Security posture

AWS

SOC 2 Type II, ISO 27001, CSA STAR Level 2; Canadian data residency maintained; HIPAA BAA executed

Anthropic (via AWS Bedrock)

No data retention on API calls; no model training on API data; covered under AWS BAA

Stripe

PCI-DSS Level 1 Service Provider; annual SOC 2 Type II audit

Ant Media Server

Self-hosted on Wellovis AWS environment; DTLS/SRTP encrypted streams

Sentry (self-hosted)

Self-hosted on AWS Canada; no third-party data transfer; anonymized diagnostic data only

Wellovis is committed to pursuing SOC 2 Type II certification. In the interim, security architecture documentation, vendor certifications, and penetration testing summaries are available to enterprise Subscribers upon execution of a mutual NDA.

10. Subscriber Responsibilities

Wellovis provides infrastructure and tools to support compliance. Tier 1 Subscribers remain the health information custodians under PHIPA. Tier 2 Subscribers remain responsible for compliance with PIPEDA and any applicable wellness industry standards. Subscribers are responsible for:

  • Maintaining confidentiality of account credentials and never sharing login access
  • Configuring appropriate user access permissions within their accounts
  • Obtaining valid client consent for collection and storage of health information in Wellovis
  • Complying with their regulatory college’s record-keeping and supervision requirements
  • Reporting any suspected security incidents or unauthorized access to Wellovis promptly
  • Device security when using Wellovis GO+ (see Section 5.3)

11. Ongoing Compliance Reviews

Wellovis reviews its security and compliance posture at least annually, including review of this statement, assessment of legislative changes, internal access control audits, and staff security awareness training.

12 . Contact

Email: privacy@wellovis.com

Website: www.wellovis.com

For enterprise or institutional procurement security reviews, contact us at privacy@wellovis.com to request our security overview package.