Welld Health
Background Paths
Background Paths
Security & Audits

Healthcare-grade security, audited every year.

Welld places data security at the core of our mission. This page is a public overview of how we protect protected health information (PHI) and how we operate the platform — for partners, prospects, and customers.

Request our SOC 2 reportRead responsible disclosure
AICPA SOC 2 Type 2 certification

SOC 2 Type 2 certified by AICPA.

A copy of our SOC report is available to customers and partners under NDA — request access through your account team.

SOC 2 Type 2

Audited by AICPA — report available to customers and partners on request.

HIPAA Compliant

BAAs with infrastructure providers; internal access strictly limited to necessary cases.

AWS HIPAA-Eligible

Built on AWS HIPAA + HITRUST eligible services with end-to-end encryption.

U2F + Browser Cert

Two-factor authentication required for all staff cloud access; strong second factors enforced.

Welld Solution Overview

Welld is a browser-based application deployed as containers running on an Amazon Web Services (AWS) EKS (Kubernetes) cluster configured for HIPAA compliance. The product currently operates three environments:

  • QA — quality assurance in a dedicated AWS development account
  • DEMO — sales and training, in the production account
  • PRODUCTION — customer-facing, in the production account

Security & Availability Architecture

Welld's security posture and high-availability infrastructure are built on AWS in accordance with the AWS shared responsibility model. We use only AWS HIPAA and HITRUST-eligible services configured to meet HIPAA and SOC 2 compliance requirements.

Operational controls

Defense in depth, by design.

A non-exhaustive look at the controls that ship with every Welld environment.

ID
Control
  • CC6.1
    End-to-end SSL
    Browser-to-backend encryption including Kubernetes service mesh for encrypted in-cluster traffic.
  • CC6.7
    Encrypted at rest
    AWS Aurora managed database with data encrypted in flight and at rest, with continuous point-in-time backups.
  • A1.2
    Cross-region backups
    Nightly encrypted backups copied to a secondary region in the production account via AWS Backup.
  • CC6.8
    Hardened nodes
    AWS-managed Bottlerocket cluster nodes with regular security updates and isolated private subnets.
  • CC7.2
    24/7 monitoring
    AWS GuardDuty + Datadog Cloud SIEM with on-call engineering response and continuous alerting.
  • CC8.1
    GitOps deployments
    Cluster updates protected by source control. Staff cannot make direct cluster changes.
  • CC7.1
    Weekly rebuilds
    Container base images rebuilt weekly to stay current with upstream security updates.
  • CC6.6
    Field-level encryption
    Sensitive fields are encrypted in the database console with all access requests logged.

SOC 2 Type 2 Audits

Welld is SOC 2 Type 2 certified by AICPA. A copy of our SOC report is available to customers and partners upon request. Because Welld runs on AWS EKS, our container orchestration platform, we inherit a portion of our SOC 2 report through what the AICPA calls the carve-out method. AWS is also SOC 2 Type 2 audited.

Welld Platform Roles & Permissions

Within Welld, role-based permissions ensure access to electronic protected health information (ePHI) is limited to individuals explicitly granted access by the Client Organization. The Client Organization is responsible for maintaining staff access through the permissions settings.

Corporate HIPAA Compliance

Welld Health is HIPAA compliant. Our compliance spans both our Business Associates Agreements (BAAs) with our infrastructure providers (AWS, Datadog) and our internal processes. Internally, we access ePHI only when strictly necessary for testing, verification, or troubleshooting — and even within the database console, sensitive fields are encrypted from casual view, with all access requests logged.

Demo and QA environments never use real data. When email must be used for patient data, Welld uses Virtru for end-to-end encrypted secure email. Every staff member at client organizations and every Welld employee must complete HIPAA compliance training before being granted access.

Responsible Disclosure

Welld Health commits to securing our product and our customers' data. We encourage you to report any possible vulnerabilities to abuse@welldhealth.com. We will promptly assess findings and take appropriate action. Actions that result in unauthorized access, data tampering, or a negative impact to product availability are prohibited.

Want our SOC 2 report?

Request access via your account team or schedule a demo. We share the full report under NDA with prospective and current customers.