Welina is built on the same AlohaABA platform and privacy practices described in our Privacy Policy and is designed to protect large volumes of sensitive and confidential information, including Protected Health Information (PHI). We use industry-standard encryption, layered network security, strict access controls, and ongoing monitoring to keep customer data safe.
What is the security level of the Welina Web App and Mobile Apps?
Welina is secure using a modern, layered security architecture:
All traffic between your browser/mobile app and our servers uses HTTPS (TLS) so data is encrypted in transit.
Data is encrypted at rest in our databases and backups.
Our web and API endpoints are fronted by Cloudflare’s Web Application Firewall (WAF), DDoS, and Bot Protection.
Our production infrastructure is protected by FortiGate next-generation firewalls around our private VPC/VPN.
Access to PHI is tightly restricted with role-based access controls (RBAC) and strict internal Identity and Access Management (IAM) practices.
The Welina WebApp currently receives an A+ rating from the Qualys SSL Labs SSL Server Test, reflecting a strong TLS configuration and modern ciphers/protocols.
The Welina API at api.welinaaba.com currently receives an A+ rating from SecurityHeaders.com and returns modern browser security headers such as Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, Referrer-Policy, and Permissions-Policy.
How do you protect data in transit?
All communication between user devices (web browsers and mobile apps) and the Welina platform is encrypted in transit using HTTPS (TLS 1.3 and TLS 1.2). Our existing Privacy Policy describes that AlohaABA applications communicate over SSL-secured connections using public-key encryption and that we follow generally accepted industry standards to protect data during transmission. Welina follows and extends those same practices:
Only HTTPS endpoints are exposed; HTTP is redirected or blocked.
Traffic is encrypted end-to-end: from visitors’ browsers to Cloudflare over HTTPS, and from Cloudflare to our origin servers over HTTPS in Cloudflare “Full (Strict)” mode.
Strict-Transport-Security (HSTS) is enabled so browsers always enforce HTTPS.
How do you protect data at rest?
We encrypt data at rest at the infrastructure and database layer, including:
Primary, Secondary and Stand By databases.
Automated database backups.
Databases are hosted on private networks, not directly exposed to the internet.
Access to databases is restricted to application services and a small group of authorized operations staff.
Backups are stored in secure, access-controlled, and encrypted cloud storage locations.
How do Cloudflare WAF and FortiGate Firewalls protect Welina (Control Plane and Data Plane)?
We use a layered network security model that clearly separates Control Planes (where policies and rules are defined) from Data Planes (where live traffic flows and is enforced). By separating Control Planes from Data Planes and combining Cloudflare at the global edge with FortiGate at the VPC/VPN perimeter, we can provide both DDoS/bot protection at the edge and strong perimeter defense around our core infrastructure.
Cloudflare (Edge Protection and WAF)
Cloudflare Data Plane (Traffic Path): All HTTPS traffic to app.welinaaba.com and api.welinaaba.com first flows through Cloudflare’s global edge network. At this data-plane layer, Cloudflare’s Web Application Firewall (WAF), DDoS protection, and bot management features inspect and filter each request in real time.
Cloudflare Control Plane (Policy and Rules): Our security and DevOps teams manage WAF rules, DDoS thresholds, bot rules, rate limits, and access lists from the Cloudflare dashboard and APIs. This control plane is where we centrally define and adjust security policies based on current threats and traffic patterns, without changing application code.
FortiGate Firewall (VPC/VPN Perimeter and Segmentation)
FortiGate Data Plane: After traffic is accepted by Cloudflare, it is forwarded to our private cloud network (VPC/VPN), where FortiGate next-generation firewalls enforce security policies at the data plane.
FortiGate Control Plane: VPC/VPN routing, segmentation, site-to-site and remote access VPNs, and firewall rulesets are defined in the FortiGate control plane. This is where we manage overall network topology and security policies that govern how data flows between DMZ segments, app tiers, and data tiers.
How do you control who inside Welina can see PHI?
We apply strict Identity and Access Management (IAM) and least privileged principles:
Role-based access controls (RBAC) within the application ensure users see only the staff, clients, sessions, session notes, and data appropriate to their role and organization
Access to production systems and PHI is limited to a small, trained subset of staff with a legitimate operational need.
Access is logged and monitored; permissions are reviewed to ensure they remain appropriate.
Development, QA, Staging and Production environments are separated to minimize exposure of real PHI outside production.
How do you manage PHI, HIPAA, and Business Associates?
Welina and the underlying AlohaABA platform are designed for ABA providers and treat client information as PHI. We follow HIPAA privacy and security principles and, where we use third-party services that process PHI, we treat them as Business Associates and put Business Associate Agreements (BAAs) in place.
How do you manage Mobile App Data and Location Tracking?
To protect against data loss and support business continuity:
We perform regular encrypted backups of production databases.
Backups are stored in secure, access-controlled locations and tested for restorability.
We maintain processes for restoring data from backups in the event of failure or data corruption.
Data retention aligns with our Privacy Policy and with applicable clinical, legal, and regulatory requirements.
When data is no longer required, we securely delete it or deidentify it in accordance with our retention policy.
Related Articles
Welina Onboarding Curriculum for New Providers
Welcome to Welina!! This onboarding outline is designed to guide you through each step of getting started with our platform. It includes key team members to be invited to trainings, structured schedule of training sessions, and assigned action items ...
Checking Your Welina App Version & Why Updates Matter
To ensure you’re getting the smoothest, most efficient experience on the Welina App, it’s important to always keep your app updated to the latest version. Updates not only improve performance but also ensure you have access to the newest features and ...
Welina App - Supported Device Requirements and OS Versions
At Welina, our top priority is helping you collect accurate, reliable data—every time, with no interruptions. We know your sessions move quickly, and every moment with a client matters. That’s why Welina is built to perform at its best on modern, ...
User Roles and Permissions
Welina offers various ways to customize what users can see and edit withing the site. Here is a high-level overview of different permissions: Role Type: Controls WHO a user can see (e.g. all staff and clients, vs only those they support or oversee) ...
Lesson Note Syncing and Linking to Aloha
Lesson Note Syncing For Welina users who are integrated with Aloha, all sessions scheduled in Aloha will appear in the “Schedule” tab in the Welina App: Any Session completed from the “Schedule” in the Welina App will automatically be linked to its ...