Wellola: Secure Patient Engagement & Communications Solutions

Wellola’s patient portal software revolutionises the way hospitals & clinics care for & communicate with their patients, reducing costs/no shows.

Patient self-scheduling for in-clinic & telecare appointments. Offer patients access to real-time care via video consultation, secure messaging, educational materials within your own branded app. Easy integration using FHIR/HL7 API


  • Patient Portal- branded to customer needs
  • Online Booking for in-person or e-visit sessions with appointment reminders
  • Optional Online Payment Facility: at reservation, e-invoicing, in video call
  • Video Consultation via SMS/ email or in-app
  • Secure Messaging
  • GDPR-compliant Correspondence (provider to patient & provider)
  • Store images and documents with client file
  • Client Library- upload ongoing educational material
  • Branded to customers requirements (white-labelled solution)
  • FHIR/ HL7 API available where required


  • Increase Patient Engagement & Self Management of Care
  • Reduce Postage Costs, Reduce No-Show Rates
  • Facilitate Ease Of Payment For Private Patients
  • Make care more accessible, convenient, increase compliance, reach under-serviced communities
  • Messaging Therapy and/or Secure File Sharing online or in-app
  • Expedite & Centralise Communications with Patients & their Providers
  • Secure File Share/ Storage - move to paperless process
  • Facilitate Chronic Patient Population. Compliment online education with real-time care
  • Easy Set Up. Improve Patient Experience
  • Industry Best Practice to allow for interoperability with existing systems


£29 per licence per month

Service documents

G-Cloud 11



Sonia Neary



Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Fully interoperable with EHR and healthcare software systems via FHIR/HL7 API
Cloud deployment model Hybrid cloud
Service constraints Critical to Wellola is ensuring a 24x7x365 service without interruption delivered in a manner that minimises unplanned interruptions for our customers.

We aim for business continuity for our clients; any pre-planned interruptions are kept to a minimum and effectively devised to ensure the least possible impact on service users during agreed maintenance or software updates.
System requirements
  • Works on all web connected devices (PC, Mobile, Tablet)
  • Works on all browsers
  • Password protected
  • Capacity for incumbent systems to offer API integration where possible

User support

User support
Email or online ticketing support Email or online ticketing
Support response times We offer a 24 hour response time to technical and customer support queries
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Web chat
Web chat support availability 24 hours, 7 days a week
Web chat support accessibility standard None or don’t know
How the web chat support is accessible The chat badge is a special launcher that allows a customer to get support from a chat agent immediately. It appears as a pop up within the webpage.
Web chat accessibility testing All on-screen elements are visually distinctive and at high contrast. All elements are named appropriately for screen readers, and no interactive elements are known to cause issues with assisted input devices. We have not yet certified with WCAG, but this is in progress.
Onsite support Onsite support
Support levels Wellola rates include all hosting costs, customer service & technical support.

For the discovery and implementation phases of any project roll out we offer onsite and off-site project manager(s), dedicated senior developer(s) and customer support.

24/7 support, is available through phone, email, SMS. Enterprise Client Account Managers will manage all interactions, but the client can choose to directly contact engineering team if they so wish
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Our overarching aim at Wellola is to service our customers with a platform that is as accessible as possible. The clinic software is simple to set up from the clinician's perspective & requires minimal prior computer experience. Features & functionality can be removed or pre-set.
The patient portal has been designed with simplicity in mind. e­-Visit via text link aims to ensure equity in enhanced service provision.

We have a wealth of resources (user guides, videos, webinars, screenshare demos) available to help familiarise you with Wellola under the 'Support' tab on www.wellola.ocm. They cover a wide range of topics in a variety of formats to best match our customers on-boarding needs.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats
  • Easy Set Up Wizard
  • Video set up guides
  • Screen share demonstration
  • Webinar
End-of-contract data extraction At the end of a contract, should the client wish to expedite the process of extracting all data in one transaction, we facilitate data transfer to the customer according to their requirements.
End-of-contract process This process can be facilitated by making a written request to our customer support or account management teams.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems
  • Android
  • IOS
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Wellola offers both a web application (PHP/ Laravel) which is optimised for usage by the clinician on desktop/laptop but is also user friendly on mobile.

The patient facing aspect of Wellola (and the white labelled versions we offer our customers) is an application (iPhone & Android) optimised for mobile
What users can and can't do using the API Users can set up the service through the API in order to integrate with their incumbent software systems by making a request to Wellola for the API package we offer

Users can make changes through the API

Only users with access permissions can set up or make changes through the API
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation The patient facing application offers full rebrand customisation (e.g for HEX codes and colours, company logo, font)

Other elements that are customisable include, but are not limited to secure messages, appointment reminders, scheduling of reminders, invoices, receipts, forms and educational material library.

Dashboard features can be hidden or activated

The individual (s) with admin access can make these changes.


Independence of resources We are well resourced from a human resources perspective, supported by a highly experienced clinical, technical and project management team. We also have the financial capacity to scale on demand, backed by private and state investment.
Technically, our system is automated to grow as spikes in user demand for hosting increases. We work with third party software development and information technology operations (Dev Ops) experts to ensure the system is optimised from this perspective.


Service usage metrics Yes
Metrics types Analytics include: Patient usage (total app download, engagement with features), Clinician Usage (Logins)

Current metrics (bookings, online bookings, time of bookings, telecare engagement, no shows, reschedules, cancelations, correspondence, invoices/billing, clinic income/ savings).

Customisable analytics available on request
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Conforms to BS7858:2012
Government security clearance Up to Security Clearance (SC)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach In-built exporting and interfacing with medical informatics allows continual export of data. Users are able to generate reports and facilitate export of data on demand. Users can request support to manually extract data in any required standard format.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats Defined By Client Request
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
  • Defined By Client Request
  • PDF, Word, Excel

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability 99.9% uptime, 24/7 availability

Our system operates in a highly reliable environment where replacement instances can be rapidly and predictably commissioned. The service runs within Amazon’s proven network infrastructure and data centers.

SLA available at link https://aws.amazon.com/ec2/sla/historical/
Approach to resilience Failover/rollover servers offer continual secure backup processes and enable resilience of data. Round-the-clock third party and in-house monitoring allows for a preventative approach in terms of datacentre management. Further details available on request.
Outage reporting Email Alerts

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels The primary user classes include the following: -
• Systems Administrator
• Dashboard Setting Administrator (Customer)
• Daily Administrator
• Clinician
• Patient

Each has their own interface access privilege level, supported by a variety of defined security measures (password protected login, 2-factor authentication, SMS PIN codes etc). The level of security/access is defined by the client requirements.
Access restriction testing frequency At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for User-defined
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 DNM Group
ISO/IEC 27001 accreditation date 13/05/2019
What the ISO/IEC 27001 doesn’t cover Wellola works with a managed service provider with ISO20000 and ISO27001 compliance (www.dnmgroup.com) who have validated that we have appropriate Technical and Organisational Measures (TOMs) in situ.
ISO 28000:2007 certification No
CSA STAR certification Yes
CSA STAR accreditation date Application 13/05/2019
CSA STAR certification level Level 3: CSA STAR Certification
What the CSA STAR doesn’t cover Currently in application stage
PCI certification Yes
Who accredited the PCI DSS certification Wellola works with Stripe to insure PCI DSS certification
PCI DSS accreditation date N/A
What the PCI DSS doesn’t cover N/A
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Wellola is also registered with the Data Protection Commission and adheres to General Data Protection Regulation (GDPR) and Data Protection Acts 1998 & 2003.

We are ISO 27001 accredited and, as such, our information security policies and processes are guided by this. This, therefore dictates the following:
• Information security policies
• Organisation of information security
• Human resource security
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operations security
• Communications security
• System acquisition, development and maintenance
• Supplier relationships
• Information security incident management
• Information security aspects of business continuity management
• Compliance; with internal requirements, such as policies, and with external requirements, such as legislation.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Any changes related to the product specification or project process are captured by the Project Manager if the system is still being implemented, or by our Customer/Technical Support department if the system has already been implemented. These are then logged as 'Change Requests' and prioritised for implementation; all affected project parameters will be assessed, analyzed for impact and acted upon.
Vulnerability management type Supplier-defined controls
Vulnerability management approach (1) Our IT/Customer Service team review threats on a case by case basis (garnered from suppliers, industry sources, and industry publications)
(2) Once alerted they review the threat and identify a plan of action based on industry best practices
(3) Depending on the patch we look to deploy all patches within seven days of release and critical and security patches within 48 hours
Protective monitoring type Supplier-defined controls
Protective monitoring approach Wellola avails of third party 24/7 monitoring that takes advantage of the latest statistical mechanisms and machine learning to provide a premium quality control & risk management service. As such, we are able to identify abnormal patterns of behaviour quickly and take the appropriate action, thanks to our heterogeneous monitoring and logging systems.
(1) Internal & external monitoring addresses potential compromises on a case by case basis
(2) Once alerted we review the potential compromise and identify a plan of action based on industry best practices
(3) We respond within 24 hours to incidents of this nature
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach (1) Our approach to incident management consists of the following components: Incident detection and recording, Classification and initial support, Investigation and diagnosis, Resolution and recovery, Incident closure, Ownership, monitoring, tracking and communication
(2) Users report incidents directly to the IT/Customer Service team
(3) Incident reports are provided directly to the relevant client point of contact

Secure development

Secure development
Approach to secure software development best practice Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Public sector networks
Connection to public sector networks Yes
Connected networks
  • NHS Network (N3)
  • Scottish Wide Area Network (SWAN)
  • Health and Social Care Network (HSCN)


Price £29 per licence per month
Discount for educational organisations No
Free trial available Yes
Description of free trial Enterprise Solution: Onsite Set-Up & Discovery Period is at Discounted Rate. For our Direct To Clinic Solution: 30-day free trial for online subscribers.
Link to free trial https://www.wellola.com/register

Service documents

pdf document: Pricing document pdf document: Service definition document pdf document: Terms and conditions
Service documents
Return to top ↑