Security & Compliance
MyWellnessID handles protected health information that ends up in front of opposing counsel, adjusters, and the court. Security and a defensible chain of custody are core to the product, not an afterthought.
Last updated · May 14, 2026
Our compliance posture
1. Encryption
Data is encrypted in transit using TLS and encrypted at rest. Records, wearable data, and assessment responses are protected from the moment they are retrieved through export.
2. Access controls and authentication
Access is role-based and scoped to a firm and its own matters one firm can never see another firm’s cases or clients. We follow least-privilege principles for internal access, and account access supports modern authentication safeguards.
3. Audit trail and chain of custody
Every record action request, receipt, structuring, and export is timestamped and logged. That audit trail and chain of custody travel with the evidence package so the provenance of each document can be demonstrated. The methodology behind the Evidence Strength Score is disclosed in the package appendix.
4. Infrastructure and hosting
The platform runs on U.S.-based cloud infrastructure with environment segregation between production and non-production systems. Infrastructure providers that handle protected health information do so under written agreements.
5. Data minimization and plaintiff consent
Collection is plaintiff-directed and limited to what each plaintiff authorizes. We retrieve records through the appropriate FHIR R4 request pathways and collect wearable and assessment data only from sources the plaintiff chooses to connect or complete. See the Privacy Policy for detail.
6. Subprocessors
We rely on a vetted set of subprocessors including cloud hosting, record-retrieval and provider-discovery partners, wearable data providers, and case management integrations. Subprocessors that handle protected health information are bound by written agreements with confidentiality and security obligations.
7. Monitoring and vulnerability management
We monitor platform activity, apply security updates, and review the platform and its dependencies for vulnerabilities on an ongoing basis.
8. Incident response and breach notification
We maintain an incident response process. In the event of a security incident affecting protected health information, we will notify affected firms and cooperate consistent with the HIPAA Breach Notification Rule and applicable state law.
9. Responsible disclosure
If you believe you have found a security vulnerability, please report it to support@mywellnessid.com with enough detail to reproduce the issue. Please do not publicly disclose it until we have had a reasonable opportunity to investigate and respond.
Need a BAA on file?
Firms can obtain a Business Associate Agreement at no charge before exchanging protected health information through the platform. Request a BAA.