WellnessLiving’s security framework uses policies and practices based on the industry standard National Institute of Standards and Technology (NIST) framework and our entire Amazon Web Services (AWS) infrastructure is secured using best practices as outlined by AWS. Our dedicated security team is responsible for overseeing the various aspects of the company’s defense-in-depth strategy and security program.
The following list represents some components of our security program that we use to protect customer data:
- Cloud Security
- Organizational Security
- Data Protection
- Exposure Management
- Incident Management
- Compliance
Cloud Security
Web Application Firewall
Our web application firewall (WAF) secures incoming traffic to our site by proactively blocking malicious traffic, including attempts at illegal access and attacks such as cross-site scripting (XSS), and SQL injection.
Distributed denial-of-service (DDoS) Protection
WellnessLiving employs an industry-leading provider of DDoS mitigation solutions to protect our infrastructure at the edge. Our infrastructure has been built to be resilient against any form of DDoS attack.
Network Segmentation
WellnessLiving networks are segmented into different security zones and communications between zones are restricted to authorized traffic.
Logging and Monitoring
WellnessLiving employs a security information and event management (SIEM) system that continuously monitors and analyzes all log activity for any anomalous traffic. Our security operations center (SOC) team provides 24/7 monitoring, investigation, and response to any potential threats detected by our systems.
Threat Intelligence
WellnessLiving works with its security partners to transform aggregated security data and collective security knowledge into actionable strategies. Our threat intelligence allows us to make quick and well-informed security decisions to proactively respond to cyber threats and attacks by enacting the appropriate preventative measures before these threats and attacks occur.
Organizational Security
Security Awareness Program
As the last line of defense, all staff members at WellnessLiving are properly educated when it comes to protecting our organization against security threats that are present in our day-to-day operations. All staff members are required to complete a comprehensive security training program at least once a year, with all new hires required to complete this training program when starting at WellnessLiving. Simulated phishing tests modelled to replicate real-life phishing attacks are sent periodically to ensure our staff members are constantly alert and that phishing report processes are functional.
Identity and Access Control
WellnessLiving incorporates the principle of least privilege (PoLP) when provisioning access, only authorizing access to staff members as needed for their job roles and responsibilities. Password policies for systems accessed by employees are configured to follow best practices outlined in NIST 800-63B.
Endpoint Protection
Servers and workstations are protected by endpoint detection and response (EDR) and anti-virus (AV) solutions that automatically stop and remediate threats. In addition, servers and workstations are hardened using security best practices, such as requiring passwords to log in and encryption of hard drives.
Data Protection
Data Centers
WellnessLiving products and data use AWS data centers to host our infrastructure. AWS, which also provides hosting services to some of the most highly regulated industries in the world, possesses various compliance certifications including ISO 27001, PCI-DSS, and SOC 2. For more information about AWS data center controls, see Amazon Web Service’s Data Center Controls.
Data encryption
All communications with WellnessLiving services are encrypted in transit by default. Encryption at rest is performed for all databases and file storage containing sensitive data. All data encryption operations performed at WellnessLiving are required to follow NIST-approved cryptographic standards and configurations such as TLS1.2/1.3, AES and SHA2/3.
Backups
Customer data backups are performed daily using incremental backups that support point-in-time recovery for up to 30 days. Long-term snapshots are also performed and retained for up to one year.
Disaster Recovery and Business Continuity Plan
The availability and resiliency of the platform is of the upmost importance at WellnessLiving. We have an in-depth disaster recovery and business continuity plan (DRBCP) to prevent/minimize the loss of data and to ensure that critical services can recover within an appropriate period of time in the event of any significant service disruption. The DRBCP includes several components including an infrastructure built following AWS reliability pillar guidelines, classification of data, and testing of backups.
Exposure Management
Security Scanning and Monitoring
WellnessLiving uses reputable security tools to conduct regular dynamic web application vulnerability scans and to provide 24/7 monitoring of all internet-facing assets. Our internal systems are continuously monitored for vulnerabilities and for compliance against security best practices.
Vulnerability Management
All vulnerability findings are reviewed, logged into our tracking system, and prioritized according to risk. To assist with prioritization, WellnessLiving compares recent announcements, releases, and information with existing inventory and vulnerability data. Remediation of vulnerabilities are tracked until fixed.
System Patching
WellnessLiving incorporates a weekly patching cycle to remediate all vulnerability-related findings across all systems. For server infrastructure, patches are required to be tested in non-production environments before being deployed into production. To address critical threats and vulnerabilities, an emergency patching procedure is in place to ensure identified risks are remediated as soon as possible, if required.
Incident Management
Incident Response Plan
WellnessLiving has an in-depth Incident Response Plan (IRP) based on the guidelines outlined in NIST SP 800-61 Rev 2. Using documented response playbooks for different incident types, we ensure our response to security incidents is efficient, repeatable, and always improving.
Incident Response Team
WellnessLiving has a dedicated security team available to respond to any incidents that occur. Working with our security partners, our security team is supported by a team of knowledgeable and accomplished incident managers who are available 24/7 to assist when needed.
Breach Notification
In the event of an information breach, WellnessLiving has policies in place to guide the organization in taking appropriate measures to notify all individuals in accordance with applicable privacy laws such as HIPAA, PIPEDA, GDPR, and CCPA.
Compliance
SOC 2
WellnessLiving undergoes independent third-party SOC 2 audits to evaluate and provide assurance to our customers that the organization’s policies, procedures, and controls are designed and operating appropriately to meet our security, availability, and confidentiality commitments.
SOC 2 reports are attestation examinations that provide detailed information and assurance about a service organisation’s controls and must be conducted by a reputable certified public accountant (CPA) firm.
HIPAA
WellnessLiving undergoes independent third-party HIPAA audits to ensure the organization’s compliance with the HIPAA Security and Privacy rule.
Please note that although WellnessLiving provides HIPAA compliant software systems to businesses and clients, businesses using our software must also ensure their business practices adhere to HIPAA requirements. For more information, see HIPAA compliance.
PCI-DSS
The scope which PCI-DSS applies to WellnessLiving is limited as we do not store or process payment card information and instead rely on our merchant processing partners to provide payment services. To ensure our processing partners are compliant with PCI-DSS, they are required to provide assurance through a PCI attestation of compliance (AoC).
Please note that although WellnessLiving provides software and access to our merchant processing partners to assist with PCI compliance, businesses are required to ensure their own environment and practices are compliant to PCI-DSS. For more information, see PCI compliance.
