Wellola: Secure Patient Engagement & Communications Solutions

Wellola’s patient portal software revolutionises the way hospitals & clinics care for & communicate with their patients, reducing costs/no shows.

Patient self-scheduling for in-clinic & telecare appointments. Offer patients access to real-time care via video consultation, secure messaging, educational materials within your own branded app. Easy integration using FHIR/HL7 API


  • Patient Portal- branded to customer needs
  • Online Booking for in-person or e-visit sessions with appointment reminders
  • Optional Online Payment Facility: at reservation, e-invoicing, in video call
  • Video Consultation via SMS/ email or in-app
  • Secure Messaging
  • GDPR-compliant Correspondence (provider to patient & provider)
  • Store images and documents with client file
  • Client Library- upload ongoing educational material
  • Branded to customers requirements (white-labelled solution)
  • FHIR/ HL7 API available where required


  • Increase Patient Engagement & Self Management of Care
  • Reduce Postage Costs, Reduce No-Show Rates
  • Facilitate Ease Of Payment For Private Patients
  • Make care more accessible, convenient, increase compliance, reach under-serviced communities
  • Messaging Therapy and/or Secure File Sharing online or in-app
  • Expedite & Centralise Communications with Patients & their Providers
  • Secure File Share/ Storage - move to paperless process
  • Facilitate Chronic Patient Population. Compliment online education with real-time care
  • Easy Set Up. Improve Patient Experience
  • Industry Best Practice to allow for interoperability with existing systems


£29 per licence per month

Service documents


G-Cloud 11

Service ID

4 5 1 6 8 6 1 7 9 5 5 8 5 4 6



Sonia Neary



Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Fully interoperable with EHR and healthcare software systems via FHIR/HL7 API
Cloud deployment model
Hybrid cloud
Service constraints
Critical to Wellola is ensuring a 24x7x365 service without interruption delivered in a manner that minimises unplanned interruptions for our customers.

We aim for business continuity for our clients; any pre-planned interruptions are kept to a minimum and effectively devised to ensure the least possible impact on service users during agreed maintenance or software updates.
System requirements
  • Works on all web connected devices (PC, Mobile, Tablet)
  • Works on all browsers
  • Password protected
  • Capacity for incumbent systems to offer API integration where possible

User support

Email or online ticketing support
Email or online ticketing
Support response times
We offer a 24 hour response time to technical and customer support queries
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Web chat
Web chat support availability
24 hours, 7 days a week
Web chat support accessibility standard
None or don’t know
How the web chat support is accessible
The chat badge is a special launcher that allows a customer to get support from a chat agent immediately. It appears as a pop up within the webpage.
Web chat accessibility testing
All on-screen elements are visually distinctive and at high contrast. All elements are named appropriately for screen readers, and no interactive elements are known to cause issues with assisted input devices. We have not yet certified with WCAG, but this is in progress.
Onsite support
Onsite support
Support levels
Wellola rates include all hosting costs, customer service & technical support.

For the discovery and implementation phases of any project roll out we offer onsite and off-site project manager(s), dedicated senior developer(s) and customer support.

24/7 support, is available through phone, email, SMS. Enterprise Client Account Managers will manage all interactions, but the client can choose to directly contact engineering team if they so wish
Support available to third parties

Onboarding and offboarding

Getting started
Our overarching aim at Wellola is to service our customers with a platform that is as accessible as possible. The clinic software is simple to set up from the clinician's perspective & requires minimal prior computer experience. Features & functionality can be removed or pre-set.
The patient portal has been designed with simplicity in mind. e­-Visit via text link aims to ensure equity in enhanced service provision.

We have a wealth of resources (user guides, videos, webinars, screenshare demos) available to help familiarise you with Wellola under the 'Support' tab on www.wellola.ocm. They cover a wide range of topics in a variety of formats to best match our customers on-boarding needs.
Service documentation
Documentation formats
  • HTML
  • PDF
  • Other
Other documentation formats
  • Easy Set Up Wizard
  • Video set up guides
  • Screen share demonstration
  • Webinar
End-of-contract data extraction
At the end of a contract, should the client wish to expedite the process of extracting all data in one transaction, we facilitate data transfer to the customer according to their requirements.
End-of-contract process
This process can be facilitated by making a written request to our customer support or account management teams.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Compatible operating systems
  • Android
  • IOS
Designed for use on mobile devices
Differences between the mobile and desktop service
Wellola offers both a web application (PHP/ Laravel) which is optimised for usage by the clinician on desktop/laptop but is also user friendly on mobile.

The patient facing aspect of Wellola (and the white labelled versions we offer our customers) is an application (iPhone & Android) optimised for mobile
Service interface
What users can and can't do using the API
Users can set up the service through the API in order to integrate with their incumbent software systems by making a request to Wellola for the API package we offer

Users can make changes through the API

Only users with access permissions can set up or make changes through the API
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
The patient facing application offers full rebrand customisation (e.g for HEX codes and colours, company logo, font)

Other elements that are customisable include, but are not limited to secure messages, appointment reminders, scheduling of reminders, invoices, receipts, forms and educational material library.

Dashboard features can be hidden or activated

The individual (s) with admin access can make these changes.


Independence of resources
We are well resourced from a human resources perspective, supported by a highly experienced clinical, technical and project management team. We also have the financial capacity to scale on demand, backed by private and state investment.
Technically, our system is automated to grow as spikes in user demand for hosting increases. We work with third party software development and information technology operations (Dev Ops) experts to ensure the system is optimised from this perspective.


Service usage metrics
Metrics types
Analytics include: Patient usage (total app download, engagement with features), Clinician Usage (Logins)

Current metrics (bookings, online bookings, time of bookings, telecare engagement, no shows, reschedules, cancelations, correspondence, invoices/billing, clinic income/ savings).

Customisable analytics available on request
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
Data sanitisation process
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data export approach
In-built exporting and interfacing with medical informatics allows continual export of data. Users are able to generate reports and facilitate export of data on demand. Users can request support to manually extract data in any required standard format.
Data export formats
  • CSV
  • ODF
  • Other
Other data export formats
Defined By Client Request
Data import formats
  • CSV
  • ODF
  • Other
Other data import formats
  • Defined By Client Request
  • PDF, Word, Excel

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
99.9% uptime, 24/7 availability

Our system operates in a highly reliable environment where replacement instances can be rapidly and predictably commissioned. The service runs within Amazon’s proven network infrastructure and data centers.

SLA available at link https://aws.amazon.com/ec2/sla/historical/
Approach to resilience
Failover/rollover servers offer continual secure backup processes and enable resilience of data. Round-the-clock third party and in-house monitoring allows for a preventative approach in terms of datacentre management. Further details available on request.
Outage reporting
Email Alerts

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
The primary user classes include the following: -
• Systems Administrator
• Dashboard Setting Administrator (Customer)
• Daily Administrator
• Clinician
• Patient

Each has their own interface access privilege level, supported by a variety of defined security measures (password protected login, 2-factor authentication, SMS PIN codes etc). The level of security/access is defined by the client requirements.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Dedicated link (for example VPN)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
DNM Group
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
Wellola works with a managed service provider with ISO20000 and ISO27001 compliance (www.dnmgroup.com) who have validated that we have appropriate Technical and Organisational Measures (TOMs) in situ.
ISO 28000:2007 certification
CSA STAR certification
CSA STAR accreditation date
Application 13/05/2019
CSA STAR certification level
Level 3: CSA STAR Certification
What the CSA STAR doesn’t cover
Currently in application stage
PCI certification
Who accredited the PCI DSS certification
Wellola works with Stripe to insure PCI DSS certification
PCI DSS accreditation date
What the PCI DSS doesn’t cover
Other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
Wellola is also registered with the Data Protection Commission and adheres to General Data Protection Regulation (GDPR) and Data Protection Acts 1998 & 2003.

We are ISO 27001 accredited and, as such, our information security policies and processes are guided by this. This, therefore dictates the following:
• Information security policies
• Organisation of information security
• Human resource security
• Asset management
• Access control
• Cryptography
• Physical and environmental security
• Operations security
• Communications security
• System acquisition, development and maintenance
• Supplier relationships
• Information security incident management
• Information security aspects of business continuity management
• Compliance; with internal requirements, such as policies, and with external requirements, such as legislation.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Any changes related to the product specification or project process are captured by the Project Manager if the system is still being implemented, or by our Customer/Technical Support department if the system has already been implemented. These are then logged as 'Change Requests' and prioritised for implementation; all affected project parameters will be assessed, analyzed for impact and acted upon.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
(1) Our IT/Customer Service team review threats on a case by case basis (garnered from suppliers, industry sources, and industry publications)
(2) Once alerted they review the threat and identify a plan of action based on industry best practices
(3) Depending on the patch we look to deploy all patches within seven days of release and critical and security patches within 48 hours
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Wellola avails of third party 24/7 monitoring that takes advantage of the latest statistical mechanisms and machine learning to provide a premium quality control & risk management service. As such, we are able to identify abnormal patterns of behaviour quickly and take the appropriate action, thanks to our heterogeneous monitoring and logging systems.
(1) Internal & external monitoring addresses potential compromises on a case by case basis
(2) Once alerted we review the potential compromise and identify a plan of action based on industry best practices
(3) We respond within 24 hours to incidents of this nature
Incident management type
Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach
(1) Our approach to incident management consists of the following components: Incident detection and recording, Classification and initial support, Investigation and diagnosis, Resolution and recovery, Incident closure, Ownership, monitoring, tracking and communication
(2) Users report incidents directly to the IT/Customer Service team
(3) Incident reports are provided directly to the relevant client point of contact

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks
Connected networks
  • NHS Network (N3)
  • Scottish Wide Area Network (SWAN)
  • Health and Social Care Network (HSCN)


£29 per licence per month
Discount for educational organisations
Free trial available
Description of free trial
Enterprise Solution: Onsite Set-Up & Discovery Period is at Discounted Rate. For our Direct To Clinic Solution: 30-day free trial for online subscribers.
Link to free trial

Service documents

Return to top ↑