Wellvana Health, LLC, together with our affiliates and subsidiaries (“Wellvana,” “us,” “our,” or “we”), is committed to protecting the data entrusted to us by our partners, patients, and their providers. This Security Policy describes the administrative, technical, and physical safeguards we maintain to protect personal information—including protected health information (“PHI”)—across our website, mobile applications, and other online and offline services (together, the “Services”).

This Security Policy supplements our Privacy Policy and Terms of Use, which govern your use of our Services. To the extent this Security Policy addresses topics also covered by our Privacy Policy or Terms of Use, those documents control in the event of any conflict.

Security Culture

Security is not just a feature of our technology—it is embedded in how we operate. Wellvana maintains a formal information security program overseen by our Chief Technology Officer. Every employee, from operations staff to our CEO, is responsible for protecting the data entrusted to us.

All employees complete mandatory Cybersecurity and HIPAA training at the time of hire and annually, thereafter. We maintain open communication channels for reporting security questions or concerns, conduct regular phishing exercises, and distribute updated security policies and ongoing security reminders to reinforce a culture of vigilance.

Security and Compliance Certifications

Wellvana maintains independent, third-party certifications to validate the effectiveness of our information security program. Our current certifications include:

HITRUST R2 Certification

Wellvana holds a HITRUST Risk-based, 2-year (r2) Certification under the HITRUST CSF® v11.2.0. The certification covers the Wellvana Platform and supporting infrastructure and is valid through June 13, 2026. HITRUST r2 is the gold standard in healthcare information security, incorporating controls from HIPAA, NIST, ISO 27001, and other frameworks into a single, comprehensive assessment.

SOC 2 Type II

Wellvana has completed a SOC 2 Type II examination in accordance with the AICPA’s Trust Services Criteria for Security. The most recent examination, conducted by Prescient Assurance LLC, covered the period from December 10, 2024 through March 10, 2025 and resulted in an unqualified opinion.

NIST Cybersecurity Framework

Wellvana has achieved NIST Cybersecurity Framework certification through the HITRUST Assurance Program. Based on the results of our HITRUST r2 Validated Assessment, HITRUST determined that the maturity of our implemented controls meets its criteria for NIST Cybersecurity Framework certification. This certification is valid through June 13, 2026.

Prospective and existing partners may request copies of our certification reports under a nondisclosure agreement by contacting security@wellvana.com.

Layers of Defense

Wellvana’s infrastructure is protected by multiple layers of defense, consistent with the defense-in-depth strategy reflected in our HITRUST and SOC 2 programs. Additionally, our security program operates in strict compliance with HIPAA Security Rule standards.Our security architecture includes the following:

•       At-rest data encryption using AES-256

•       In-transit data encryption using TLS 1.2 or higher

•       Automated failover capabilities

•       Auto-scaling infrastructure

•       Recurring data snapshots and backup procedures

•        Adoption of a Business Continuity & Disaster Recovery PlanIntrusion detection and prevention systems

•       Multi-factor authentication (MFA) and single sign-on (SSO) support

•       Distributed denial-of-service (DDoS) mitigation

•       External penetration testing

•       Security patch management

•       Secure software development lifecycle processes

•       Security information and event management (SIEM) with anomaly and threat detection

•       Vulnerability scanning

•       Web application firewalls

Additional information about our security controls is available upon request.

Vulnerability Disclosure

Wellvana values the work of independent security researchers who help us maintain the security of our systems and the data we protect.

If you are a security researcher who has discovered a potential vulnerability in Wellvana’s systems, please report it to security@wellvana.com. Please include sufficient detail to allow us to reproduce and validate the issue.

We ask that researchers act in good faith, avoid accessing or modifying data belonging to others, and allow us a reasonable period to investigate and remediate reported issues before any public disclosure. Wellvana will not pursue legal action against researchers who discover and report vulnerabilities in compliance with these guidelines.

At this time, Wellvana does not offer monetary rewards for vulnerability reports.

Reporting Suspected Security Issues

If you suspect a security issue involving Wellvana’s Services, or if you believe your Wellvana credentials may have been compromised, please contact us immediately at security@wellvana.com.

Data Protection and Privacy

We ground our privacy commitments in strong data governance practices so that our partners and their patients can trust us to protect the confidentiality of their information. Our security controls are designed to automatically prevent, detect, and respond to threats before they reach the data we are entrusted to protect.

For information about how we collect, use, and disclose personal information—including PHI—please review our Privacy Policy. Our privacy practices are designed to comply with the Health Insurance Portability and Accountability Act (“HIPAA”) and applicable state privacy laws. We encourage you to review our Privacy Policy and your provider’s HIPAA Notice of Privacy Practices.

Contact

For questions about this Security Policy or Wellvana’s security practices, please contact us at security@wellvana.com.

This Security Policy was last updated March 31, 2026.