Security
Last updated: April 2026
Our approach
Wellora handles sensitive information about families applying for Medicaid Home Help benefits. We design our systems around two principles: collect only what we need, and protect it in depth. This page describes the technical and organizational measures we use today. We will update it as our program matures.
Infrastructure
Wellora runs on Google Cloud Platform (GCP) in the United States (us-central1 region). Our application is deployed on Cloud Run as a containerized service. All data is stored in Google-managed services (Firestore, BigQuery, Cloud Storage) located within U.S. data centers.
Encryption
- In transit: All traffic to and from Wellora is encrypted using TLS 1.2 or higher, with HSTS enforced on our public domains.
- At rest: All databases and object storage are encrypted at rest using AES-256 with Google-managed keys.
- Voice and telephony: Calls placed through our AI specialist use provider-managed TLS and SRTP-equivalent transport for media streams.
Access controls
- Access to production systems is limited to a small number of authorized engineers, authenticated with multi-factor authentication.
- Deployments run through Workload Identity Federation — our CI/CD pipeline holds no long-lived service account keys.
- Role-based access controls (RBAC) are enforced in our dashboard via Firebase Authentication with custom claims (
owner,operator,viewer). - Internal databases are accessed through service accounts with the minimum permissions required for each job.
Data minimization
During an initial eligibility check, we collect only a first name, phone number, and state. We do not collect Social Security numbers, Medicare ID numbers, or bank account information during the eligibility check. Sensitive identifiers, when later required to submit an application on your behalf, are collected directly by our licensed human specialists under a separate authorization.
Phone numbers used for analytics are hashed (SHA-256) before being stored in our event log, so the raw number is never queried for product metrics.
Audit logging
Every customer-facing action by a Wellora worker — human or AI — is recorded as a structured event. Logs include who took the action, what was done, and when. Call recordings and transcripts are retained for a minimum of two years for compliance and quality assurance.
Monitoring and response
We monitor infrastructure and application logs continuously for anomalies and security events. If we discover a confirmed security incident affecting your information, we will notify you as required by applicable federal and state law. If you believe you have found a security issue, please contact us at security@wellora.care.
Sub-processors
We use a limited set of trusted third-party providers to operate our service. Each is contractually bound to handle your information only as needed to provide its service and to meet applicable security standards.
| Provider | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Application hosting, Firestore, BigQuery, Cloud Storage | United States |
| Google (Gemini API) | AI language model for eligibility conversations | United States |
| Retell AI | Real-time voice telephony for AI specialist calls | United States |
| Twilio | SMS delivery (nurture reminders, opt-out handling) | United States |
| Firebase Authentication | Operator dashboard sign-in | United States |
| Google Workspace | Internal email and document collaboration | United States |
| Vercel | Public website hosting | United States |
| Meta & Google Ads | Advertising conversion measurement (hashed identifiers only) | United States |
We will update this list as our sub-processors change. Material additions affecting your personal information will be reflected here with a revised “Last updated” date.
Compliance posture
Wellora is a young company. We have implemented the controls described above and are building toward formal third-party attestations (SOC 2, HIPAA program documentation) as we scale. If you represent a health plan, provider, or partner and need additional diligence materials, please email security@wellora.care.