Security & Compliance

Built for trust. Designed for care.

WellAI handles sensitive health and wellness data. We take that responsibility seriously with industry-standard security practices and regulatory compliance.

PIPEDA Compliant

Canadian privacy law

HIPAA Aligned

US health data standards

SOC 2 Practices

Enterprise security controls

How We Protect Data

Encryption in Transit & at Rest

All data is encrypted using TLS 1.3 in transit and AES-256 at rest. Database connections use SSL. No unencrypted data leaves our systems.

Data Isolation

Each facility's data is logically isolated using row-level security (RLS) in our database. Staff from one facility cannot access data from another.

Audit Trail

Every access to resident data is logged with actor identity, timestamp, and action type. Audit logs are immutable and available to facility administrators.

Role-Based Access Control

Staff access is controlled by role (admin, manager, nurse, carer, viewer). Each role has specific permissions — nurses can't change billing, viewers can't edit residents.

Incident Response

Automated monitoring detects anomalies. Staff are alerted within seconds of any distress detection, no-response, or system health issue.

Infrastructure

Hosted on enterprise-grade infrastructure with automated backups, SSL certificates, and DDoS protection. Database hosted on Supabase (AWS infrastructure, SOC 2 Type II certified).

PIPEDA Compliance

WellAI complies with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). Our practices include:

✓Consent obtained before collecting personal information

✓Information used only for stated purposes

✓Data retained only as long as necessary

✓Individuals can access and correct their data

✓Data protected by appropriate security safeguards

✓Transparent privacy practices and policies

✓Designated privacy officer accountable for compliance

✓Complaints process available to all individuals

✓Third-party processors bound by equivalent protections

✓Cross-border transfers disclosed and protected

What Data We Process

Data Type	Purpose	Retention
Resident name & phone	Identify and contact residents for check-ins	Until resident removed
Check-in responses (SMS/voice)	Wellness monitoring, sentiment analysis	12 months
Sentiment scores & mood data	Trend analysis, risk detection, reports	12 months
Staff contact info	Alert routing, shift management	Until staff removed
Facility configuration	System operation, scheduling	Duration of service
Audit logs	Compliance, incident investigation	24 months
Payment information	Billing (processed by Stripe, not stored by WellAI)	Managed by Stripe

Documents for Facilities

Data Processing Agreement

Standard DPA for facilities. Covers data handling, security obligations, and breach notification.

Resident Consent Form

Template consent form for residents or their legal representatives. Ready to print and customize.

Questions about compliance?

Our team is available to discuss your specific security and compliance requirements.

compliance@wellai.ca