WellnessLiving’s security framework is built on policies and practices derived from the industry-standard National Institute of Standards and Technology (NIST) framework.

Additionally, our entire Amazon Web Services (AWS) infrastructure is secured following the best practices outlined by AWS. Our dedicated security team oversees all aspects of the company’s defense-in-depth strategy and overall security program.

Below are key components of our security program designed to protect customer data.

Our web application firewall (WAF) secures incoming traffic by proactively blocking malicious activity, including unauthorized access attempts and attacks such as cross-site scripting (XSS) and SQL injection.

WellnessLiving partners with an industry-leading provider of distributed denial-of-service (DDoS) mitigation solutions to protect our infrastructure at the network edge. Our infrastructure is designed to be resilient against all forms of DDoS attacks.

WellnessLiving’s networks are segmented into distinct security zones, with communications between zones restricted to authorized traffic only.

WellnessLiving uses a Security Information and Event Management (SIEM) system to continuously monitor and analyze log activity for any anomalies. Our Security Operations Center (SOC) team provides 24/7 monitoring, investigation, and response to potential threats identified by our systems.

WellnessLiving collaborates with trusted security partners to transform aggregated security data and collective knowledge into actionable strategies. This threat intelligence allows us to make informed, timely security decisions and proactively address cyber threats before they occur.

As the final line of defense, all WellnessLiving staff are thoroughly educated on protecting our organization against security threats in day-to-day operations. Employees must complete comprehensive security training at least once annually, with new hires completing the training upon joining. We also conduct simulated phishing tests, modeled to replicate real-world attacks, to ensure staff remain vigilant and that our phishing reporting processes function effectively.

WellnessLiving adheres to the principle of least privilege (PoLP) when granting access, ensuring employees are only authorized to access the systems necessary for their job roles. Our password policies are in line with best practices outlined in NIST 800-63B.

Our servers and workstations are safeguarded by endpoint detection and response (EDR) solutions, along with anti-virus (AV) software that automatically detects and remediates threats. Additionally, servers and workstations are hardened using security best practices, including password requirements and full disk encryption.

WellnessLiving’s products and data are hosted on AWS data centers, which are trusted by some of the most highly regulated industries worldwide. AWS holds multiple compliance certifications, including ISO 27001, PCI-DSS, and SOC 2. For further information about AWS data center controls, see Amazon Web Service’s Data Center Controls.

All communications with WellnessLiving services are encrypted in transit by default. Encryption at rest is applied to all databases and file storage containing sensitive data. Our encryption practices comply with NIST-approved cryptographic standards, such as TLS 1.2/1.3, AES, and SHA2/3.

Customer data is backed up daily using incremental backups that support point-in-time recovery for up to 30 days. We also perform long-term snapshots, which are retained for up to one year.

The availability and resilience of our platform are of the utmost importance. WellnessLiving has a comprehensive Disaster Recovery and Business Continuity Plan (DRBCP) to minimize data loss and ensure critical services can be restored quickly following a significant disruption. The DRBCP includes an infrastructure designed around AWS’s reliability pillars, classification of data, and backup testing.

WellnessLiving uses reputable security tools to conduct regular dynamic web application vulnerability scans and 24/7 monitoring of all internet-facing assets. Our internal systems are continuously monitored for vulnerabilities and adherence to security best practices.

All identified vulnerabilities are reviewed, logged, and prioritized based on risk. To assist with prioritization, we cross-reference vulnerability data with recent security advisories and system inventories. Remediation efforts are tracked until each issue is resolved.

We operate a weekly patching cycle to address vulnerabilities across all systems. For server infrastructure, patches are first tested in non-production environments before deployment to production systems. An emergency patching procedure is also in place to quickly address critical threats as needed.

WellnessLiving maintains an Incident Response Plan (IRP) based on NIST SP 800-61 Rev 2 guidelines. Our documented response playbooks ensure that our reaction to security incidents is efficient, repeatable, and continuously improving.

Our dedicated security team is available 24/7 to respond to incidents. Supported by knowledgeable incident managers, the team works in conjunction with our security partners to address any issues swiftly and effectively.

In the event of a data breach, WellnessLiving follows strict policies to notify affected individuals in compliance with applicable privacy laws, including HIPAA, PIPEDA, GDPR, and CCPA.

WellnessLiving undergoes independent third-party SOC 2 audits to verify that our policies, procedures, and controls are effectively designed and operating to meet our security, availability, and confidentiality commitments. Our SOC 2 Type 2 report, prepared by a certified public accountant (CPA) firm, is available upon request for current customers or businesses considering our software.

WellnessLiving undergoes third-party HIPAA audits to ensure compliance with the HIPAA Security and Privacy Rules.

Please note that while WellnessLiving provides HIPAA-compliant software systems, businesses using our software must ensure their practices are also HIPAA-compliant.

The scope of PCI-DSS compliance for WellnessLiving is limited, as we do not store or process payment card information. Instead, we rely on our merchant processing partners to handle payment transactions. These partners must provide PCI-DSS attestation of compliance (AoC).

Please note that while WellnessLiving supports PCI compliance through our software and merchant processing partners, businesses are responsible for ensuring their own compliance with PCI-DSS requirements. For more information, see PCI compliance.