Security at Welloca

As a business data application, we recognise the importance of excellent security practices. While we are a small team, we work hard to punch above our weight on security. This document covers our security practices and policies. If you are interested in the data we collect and store, please see our privacy policy.

Security is at the heart of our business

We are Cyber Essentials certified.

Effective, Government backed minimum standard scheme that protects against the most common cyber attacks - self assessed. View our Cyber Essentials certification.

Cyber Essentials logo

General Practices

  • Access to servers, source code, and third-party tools are secured with two-factor auth.
  • We use strong, randomly-generated passwords that are never re-used.
  • Employees and contractors are given the lowest level of access that allows them to get their work done. This rarely includes access to production systems or data.
  • We use automatic security vulnerability detection tools to alert us when our dependencies have known security issues. We are aggressive about applying patches and deploying quickly.
  • We don't copy production data to external devices (like personal laptops).

Access control and organisational security


Our employees and contractors sign an NDA before gaining access to sensitive information.

Penetration testing

We have proactive penetration testing performed monthly. The last assessment concluded that "the security posture of the Welloca Platform was found to be in line with industry's best practices." If you'd like a copy of the results, get in touch.


Each user can use a publicly accessible signup link to set up a new account with their email and password. User passwords are hashed using bcrypt before being stored.

When a user logs in, they are given a 20-byte authentication token, generated with the SecureRandom tool in the Ruby Standard Library. The token is invalidated after 30 days of inactivity.

All further interaction with the API is done by providing an Authorization header with this token.


All access to the Welloca Platform is only permitted over SSL connections. Personally identifiable data you insert into the Welloca Platform is encrypted in transit and at rest. We use Active Record Encryption in a non-deterministic manner.

When we say "end-to-end", we mean it in the way you'd expect: your data is not (and cannot be!) decrypted by anything other than the clients involved in the data transaction. Stated another way: the only people that can see anything that happens are the individuals with authenticated private keys.

All communication between the Welloca clients and our backend is encrypted with TLS 1.2. Our backend server is managed by Scalingo and uses their Automated Certificate Management service. User data is stored in Scalingo Postgres and details of their implementation can be found here.

Metadata about app usage is stored in Plausible using their API. Details of their security processes can be found in their Data Policy.

Data retention/logging

  • Logs are stored separate from our backend infrastructure in a private Scalingo logging area.
  • These logs are retained for 30 days, after which they are permanently deleted.
  • Application analytics can be permanently deleted on request.

Software development practices

  • Code written by any developer is signed off by at least one other person before committing.
  • Code is tested in a staging environment against a QA checklist before deploying to production.
  • The Welloca mobile apps are code-signed with our Apple/Google developer ID's.
  • The Welloca mobile apps are automatically scanned for malware and notarized by Apple on every deploy. See Apple's notarization service for details.

Vulnerability detection

Both the client and our backend are regularly scanned for dependencies with known security vulnerabilities. Vulnerable dependencies are patched and redeployed rapidly.


Our backend server is hosted on Scalingo, which runs on top of using hardware located in data centres in France. Outscale's data center operations have been accredited under:

  • ISO 27001
  • ISO 27017 and ISO 27018


What user data do you collect?

We're not in the business of making money off of data. We do collect information about how users are interacting with our app so we can improve the product and provide faster, more effective support when issues arise. These events include:

  • Sign-In and Sign-Out events
  • Interaction with features of the app (e.g. appointment scheduling, switching hosts)
  • Crashes and other errors
  • Changes in network availability status
  • Changes in connectivity state with our backend server and peers

In addition, the following metadata is collected by Plausible:

  • The user's operating system version
  • The user's display dimensions

Users are identified in our system by their email address and are asked to provide a name. We don't attempt to collect any demographic information, and don't log IP addresses on incoming connections.

How do I report a potential vulnerability or security concern?

We are continually engaged with a team of researchers in a private bug bounty program and therefore do not provide compensation for independent reports. However, if you have a concern please email us at, which will notify us very loudly and we'll get back to you ASAP.

Are you SOC 2 or ISO 27001 certified?

We are SOC 2 certified and our security team have a wealth of experience with the ISO27001 standard.

Do you conduct background checks on your employees/contractors?

Yes. All employees sign an NDA and undergo a background check before starting.

What insurance do you carry?

  • Professional indemnity insurance for technology companies
  • Public and products liability insurance (technology)
  • Employers liability insurance
  • Cyber and data insurance
  • Personal accident insurance
  • Commercial legal protection insurance
  • Crisis containment
  • Hiscox Business Insurance

Any further questions?

Great! Please contact us and we'll help you out.