Empowering a Secure and Private Wellness Journey

At Sworkit Health, our mission extends beyond promoting wellness; we’re dedicated to safeguarding your data. As a leader in digital health, offering fitness, mindfulness, nutrition, and wellness solutions, we understand the importance of data security and privacy in building trust.

Our platform is built on stringent security measures and compliance with top industry standards, including SOC-2 Type 2, GDPR, and HIPAA. This ensures not only the effectiveness of our services but also their reliability and trustworthiness.

We believe in the power of wellness supported by a foundation of trust. By integrating advanced security practices, we ensure your journey towards better health is protected and private.

Our Commitment to Compliance and Data Protection

sworkit comliance

SOC-2 Type 2: This certification is a testament to our commitment to maintaining the highest standards of security, availability, processing integrity, confidentiality, and privacy. Sworkit Health adheres to rigorous protocols to safeguard our services and customer data, ensuring trust and reliability in our digital health solutions.

GDPR: At Sworkit Health, we embrace the principles of the General Data Protection Regulation to guarantee robust data protection and privacy for our users in the European Union. Our practices prioritize user rights, offering transparency and control over personal data in accordance with EU standards.

HIPAA: Compliance with the Health Insurance Portability and Accountability Act underscores our dedication to protecting sensitive patient health information. Sworkit Health implements stringent security measures and policies to ensure the confidentiality, integrity, and availability of patient data, aligning with the highest standards of care and privacy.

Our Comprehensive Security and Privacy Framework

At Sworkit Health, we uphold an extensive list of policies designed to protect and manage data with the utmost care. Our framework reflects a deep commitment to security, privacy, and operational excellence:

  • Code of Conduct: Sets the ethical and behavioral standards for our team, ensuring integrity in all actions.
  • Information Security Policy (AUP): Governs the protection of our information assets against unauthorized access, disclosure, alteration, and destruction.
  • Information Security Roles and Responsibilities: Defines the duties and expectations for our team members in maintaining our security posture.
  • Asset Management Policy: Ensures proper classification, handling, and protection of company assets.
  • Data Management Policy: Outlines the procedures for managing data lifecycle, from creation to disposal, ensuring data integrity and confidentiality.
  • Physical Security Policy: Secures our facilities and hardware against physical threats and unauthorized access.
  • Risk Management Policy: Identifies, evaluates, and mitigates risks to our operations and assets.
  • Third-Party Management Policy: Manages risks associated with external vendors and service providers.
  • Cryptography Policy: Guides the use of cryptographic controls for protecting the confidentiality, authenticity, and integrity of data.
  • Incident Response Plan: Establishes procedures for effectively responding to security incidents to minimize impact.
  • GDPR Compliance Policy: Ensures our practices are in full compliance with GDPR, protecting the privacy of EU citizens.
  • GDPR Incident Response Plan: Details our approach to promptly addressing and reporting data breaches under GDPR.
  • HIPAA Compliance Policy: Demonstrates our adherence to HIPAA standards for safeguarding sensitive patient health information.

Each policy is crafted with diligence, ensuring Sworkit Health’s operations align with industry best practices and regulatory requirements, thus safeguarding our community’s trust and wellbeing.

Our Security Measures and Controls

Application & Interface Security: Ensures secure development, deployment, and maintenance of our applications, protecting against threats to user data.


Application Security

  • Implements robust source code analysis and security scanning protocols on a daily basis to detect and rectify security vulnerabilities before deployment. This includes a comprehensive review process for applications to address security concerns, ensuring a secure product release.

Customer Access Requirements

  • Strictly manages customer access to data and systems by thoroughly assessing and resolving all security, contractual, and regulatory requirements beforehand, ensuring secure and compliant access.

Data Integrity

  • Maintains data integrity through regular, automated audits, verifying the accuracy and consistency of stored data, thereby safeguarding against unauthorized modifications.
Audit Assurance & Compliance: Demonstrates our adherence to internal and external audit requirements, ensuring compliance with industry standards.


Independent Audits

  • Engages with external auditors to conduct thorough assessments of network and application security, providing transparency through access to audit reports and conducting regular penetration testing in line with best industry practices.

Information System Regulatory Mapping

  • Proactively reviews and adjusts security documentation and policies on a quarterly basis to remain aligned with evolving regulatory requirements, ensuring continuous compliance.
Business Continuity Management & Operational Resilience: Prepares for, responds to, and recovers from disruptive incidents to maintain service continuity.


Business Continuity Testing

  • Regularly tests and updates contingency plans to guarantee organizational resilience and the continuous delivery of services under various scenarios.

Policy

  • Develops and maintains comprehensive policies supporting the roles essential for service operations, ensuring readiness and response efficiency.

Retention Policy

  • Implements strict data retention and backup policies, using tools to enforce and test data preservation and recovery protocols annually for robustness.
Change Control & Configuration Management: Manages changes to system and software configurations, minimizing risks to system integrity and security.


Unauthorized Software Installations

  • Enforces strict controls to prevent unauthorized software installations, including rigorous approval processes and monitoring protocols to ensure software integrity and security.
Data Security & Information Lifecycle Management: Protects data throughout its lifecycle, from creation and storage to disposal, ensuring data integrity and confidentiality.


E-commerce Transactions

  • Secures e-commerce transactions using standardized, high-grade encryption methods for data transmission over public networks, ensuring the protection of sensitive information.

Nonproduction Data

  • Adopts strict policies to prevent the copying or use of actual customer data in non-production environments, emphasizing the secure handling and deletion of data.
Datacenter Security: Secures our physical and virtual data centers against unauthorized access and environmental hazards.


Asset Management

  • Maintains an accurate inventory of all critical assets with defined ownership, employing automated tools for inventory management to ensure asset integrity and security.

Controlled Access Points

  • Implements comprehensive physical security measures, including controlled access points to secure sensitive data and system areas, suitable for organizations handling high volumes of sensitive information.

User Access

  • Adheres to stringent physical access controls for data center environments, ensuring only authorized personnel can access critical infrastructure, thereby protecting against unauthorized entry.
Encryption & Key Management: Utilizes encryption and secure key management practices to protect data in transit and at rest.


Key Generation

  • Facilitates secure encryption practices by allowing for the generation of unique encryption keys per tenant, ensuring that customer data is safeguarded with individualized keys.

Encryption

  • Applies strong encryption standards for protecting sensitive customer data at rest, employing industry-recognized encryption protocols to ensure data confidentiality and integrity.
Governance and Risk Management: Establishes a governance framework to identify, assess, and manage security risks.


Baseline Requirements

  • Regularly reviews and updates all security policies and procedures, ensuring they reflect current best practices and compliance with regulatory requirements, fostering a secure and compliant operational environment.

Policy

  • Ensures that all personnel are aware of and understand the security policies through comprehensive distribution and mandatory acknowledgment, reinforcing a culture of security and compliance.
Human Resources: Incorporates security awareness and training for employees, along with managing personnel security through the employee lifecycle.


Training / Awareness

  • Mandates annual security awareness training for all employees, emphasizing the importance of security best practices and compliance with company policies to maintain a vigilant and informed workforce.

Background Screening

  • Conducts comprehensive background checks for all new hires in compliance with legal standards, ensuring the integrity and reliability of the workforce.

Employment Agreements

  • Incorporates confidentiality and data protection clauses in employment contracts, reinforcing the commitment to secure handling of information.

Employment Termination

  • Has established protocols for addressing changes in employment status, including secure termination procedures to protect information and assets.
Identity & Access Management: Controls user access to systems and data through authentication, authorization, and accounting.


Audit Tools Access

  • Implements strict policies and logging mechanisms to regulate and monitor access to security management systems, ensuring controlled and recorded usage.

User Access Policy

  • Enforces a policy of removing unnecessary business access to maintain a secure and minimal access environment, adhering to the principle of least privilege.

Policies and Procedures

  • Maintains robust policies and procedures for managing user access levels, ensuring that access is granted based on authorization and necessity.

Source Code Access Restriction

  • Restricts access to source code to authorized personnel only, maintaining strict control over who can view and modify the codebase.

User Access Restriction / Authorization

  • Implements stringent procedures to document and enforce user access restrictions, ensuring that access is granted based on the principle of least privilege.

User Access Reviews

  • Conducts regular reviews and validations of user entitlements to ensure ongoing compliance and alignment with access policies.

User Access Revocation

  • Ensures timely de-provisioning of user access rights upon employment termination or role change, maintaining security and control over access rights.
Infrastructure & Virtualization Security: Protects the infrastructure and virtualized environments from threats, ensuring the security of servers, networks, and cloud services.


Audit Logging / Intrusion Detection

  • Utilizes advanced intrusion detection systems (IDS) and restricts access to audit logs to ensure the integrity and confidentiality of log data.

Clock Synchronization

  • Adheres to protocols for uniform time synchronization across systems using Network Time Protocol (NTP), ensuring accurate and consistent time-stamping.

OS Hardening and Base Controls

  • Maintains and reviews operating system hardening standards annually to ensure a secure and robust infrastructure against potential vulnerabilities.

Production / Non-Production Environments

  • Enforces strict segregation between production and non-production environments, maintaining formal inventories and access controls.

Segmentation

  • Implements network segmentation and regular reviews of firewall rulesets to ensure secure and controlled network access.

VMM Security – Hypervisor Hardening

  • Applies rigorous security controls for virtual machine monitors (VMMs) and hypervisors, enforcing access controls and technical safeguards.

Wireless Security

  • Establishes secure wireless network protocols with strong encryption standards to protect against unauthorized access and data breaches.
Security Incident Management, E-Discovery, & Cloud Forensics: Manages the identification, investigation, and remediation of security incidents, along with legal discovery and forensic analysis in cloud environments.


Incident Management

  • Regularly tests and updates the incident response plan to ensure effective management and mitigation of security incidents.

Incident Reporting

  • Requires prompt reporting of security events by all personnel, fostering a culture of vigilance and immediate response.

Incident Response Legal Preparation

  • Incorporates confidentiality and data protection clauses in employment contracts, preparing legally for potential incidents and data breaches.
Supply Chain Management, Transparency, and Accountability: Manages security risks associated with the supply chain, ensuring transparency and accountability from third-party providers.


Incident Reporting

  • Facilitates electronic logging and communication of security incidents, ensuring prompt and accurate incident documentation.

Network / Infrastructure Services

  • Monitors the capacity and usage of cloud hosting services to maintain operational efficiency and security.

Third Party Agreements

  • Integrates security commitments into third-party agreements, ensuring vendors adhere to the same high standards of security.

Supply Chain Metrics

  • Provides transparency on operational performance and service level agreements (SLAs) to tenants, ensuring accountability in the supply chain.

Third Party Audits

  • Conducts annual reviews and audits of third-party providers to ensure compliance with security standards and practices.
Threat and Vulnerability Management: Identifies, assesses, and mitigates vulnerabilities and threats to maintain the security and integrity of systems and data.


Antivirus / Malicious Software

  • Installs and maintains robust antivirus and anti-malware solutions across the infrastructure to protect against malicious software threats.

Vulnerability / Patch Management

  • Implements a proactive vulnerability and patch management program to identify and address security vulnerabilities in a timely manner.

Mobile Code

  • Manages and controls the use of mobile code to prevent unauthorized or harmful code execution on the organization’s systems.


Our Trusted Subprocessors

At Sworkit Health, we partner with leading technology providers to ensure the highest quality of service and security for our members. Below is a list of our subprocessors, detailing their roles and the nature of their data processing activities on our behalf.

SubprocessorAddressDuration of the ProcessingSubject Matter and Nature of the Processing
Google, LLC601 N. 34th Street Seattle, Washington 98103ContinuousGoogle Cloud Services, Firestore, Firebase, & Analytics for member data and API services.
Intercom Inc.55 2nd Street, 4th Floor, San Francisco, CA 94105ContinuousConversational support, marketing, and engagement for members.

Our commitment to your privacy includes careful selection of subprocessors who adhere to the highest standards of data protection and security.

Request More Information

Have questions about our security measures or privacy policies? We’re here to provide the clarity and assurance you need. Whether you’re seeking more detailed information on our compliance standards, interested in our security protocols, or wish to review a copy of our SOC-2 Type 2 or CAIQ Lite reports, our team is ready to assist.

Contact Us to Learn More

For all inquiries related to security and privacy, please reach out to us directly at privacy@sworkit.com. Your trust and confidence in our services are paramount, and we’re committed to maintaining open, transparent communication regarding our security and privacy efforts.

We look forward to addressing your questions and ensuring your peace of mind as you continue your wellness journey with Sworkit Health.