Security & Compliance¶
This page provides a public overview of the security and compliance posture for the House of Wellness integration platform.
House of Wellness follows security controls aligned with ISO 27001 principles, but does not claim ISO 27001 certification.
Scope¶
This summary is intentionally high level. It is designed for customer, supplier, and stakeholder review without disclosing sensitive implementation detail.
Security Position¶
The platform is operated using documented security practices across identity, access, infrastructure, data protection, operational change, resilience, and incident handling.
The implementation uses Azure-native controls and managed services where possible to reduce operational risk and limit secret handling.
Control Areas¶
| Area | Approach |
|---|---|
| Governance | Security responsibilities are defined across delivery, operations, and platform support activities. |
| Access control | User access is authenticated through Microsoft Entra ID and role-based access is enforced server-side. |
| Least privilege | Application components use managed identity and scoped access to Azure resources. |
| Secret management | Secrets are held in Azure Key Vault and are not embedded in application code or deployment pipelines. |
| Data protection | Data is encrypted in transit over HTTPS and encrypted at rest using Azure platform controls. |
| Logging and monitoring | Platform activity and diagnostics are monitored to support operational oversight and investigation. |
| Change management | Changes are deployed through controlled CI/CD workflows with source control, review, and release discipline. |
| Backup and recovery | Platform data is stored on managed Azure services with backup and recovery capabilities appropriate to the deployed components. |
| Resilience | External integrations use retry, timeout, and circuit-breaker protections to reduce transient failure impact. |
| Incident response | Operational issues are investigated and handled through defined support and escalation paths. |
Supporting Platform Controls¶
| Control | Implementation summary |
|---|---|
| Identity | Microsoft Entra ID authentication for staff access |
| Authorisation | Role-based access for administrative, staff, and read-only use cases |
| Infrastructure security | Azure Functions, Storage, Key Vault, and Static Web Apps hosted on managed Azure services |
| Key handling | Managed identity and federated deployment flows reduce reliance on long-lived credentials |
| Deployment security | GitHub Actions deploys use OIDC federation rather than stored cloud credentials |
| Service protection | HTTP clients use resilience handlers for retry, timeout, and circuit breaking |
Compliance Note¶
This page should not be interpreted as a statement of ISO 27001 certification. It describes operational controls aligned with ISO 27001 principles at a high level for public documentation purposes.