Wally makes every effort to assure all 3rd party organizations are compliant and do not compromise the integrity, security, and privacy of Wally or Wally Customer data. 3rd Parties include Customers, Subcontractors, and Contracted Developers.
- 05.i - Identification of Risks Related to External Parties
- 05.k - Addressing Security in Third Party Agreements
- 09.e - Service Delivery
- 09.f - Monitoring and Review of Third Party Services
- 09.g - Managing Changes to Third Party Services
- 10.1 - Outsourced Software Development
- 164.314(a)(1)(i) - Business Associate Contracts or Other Arrangements
- Wally does not allow 3rd party access to production systems containing ePHI.
- All connections and data in transit between the Wally Platform and 3rd parties are encrypted end to end.
- A standard business associate agreement with Customers is defined and includes the required security controls in accordance with the organization's security policies. Additionally, responsibility is assigned in these agreements.
- Wally has Service Level Agreements (SLAs) with Subcontractors with an agreed service arrangement addressing liability, service definitions, security controls, and aspects of services management.
- No Wally Customers have access outside of their own environment, meaning they cannot access, modify, or delete anything related to other 3rd parties.
- Wally does not outsource software development.
- Wally maintains and annually reviews a list all current Subcontractors.
- The list of current Subcontractors is maintained by the Wally Privacy Officer, includes details on all provided services (along with contact information), and is recorded in §1.3.
- The annual review of Subcontractors is conducted as a part of the security, compliance, and SLA review referenced below.
- Wally assesses security, compliance, and SLA requirements and considerations with all Subcontractors. This includes annual assessment of SOC2 reports for all Wally infrastructure partners.
- Wally leverages recurring calendar invites to assure reviews of all 3rd party services are performed annually. These reviews are performed by the Wally Security Officer and Privacy Officer. The process for reviewing 3rd party services is outlined below:
- The Security Officer initiates the SLA review by creating a ticket in the Wally Quality Management System.
- The Security Officer, or Privacy Officer, is assigned to review the SLA and performance of 3rd parties. The list of current 3rd parties, including contact information, is also reviewed to assure it is up to date and complete.
- SLA, security, and compliance performance is documented in the ticket.
- Once the review is completed and documented, the Security Officer approves or rejects the ticket. If the ticket is rejected, it goes back for further review and documentation.
- Wally leverages recurring calendar invites to assure reviews of all 3rd party services are performed annually. These reviews are performed by the Wally Security Officer and Privacy Officer. The process for reviewing 3rd party services is outlined below:
- Regular review is conducted as required by SLAs to assure security and compliance. These reviews include reports, audit trails, security events, operational issues, failures and disruptions, and identified issues are investigated and resolved in a reasonable and timely manner.
- Any changes to Subcontractor services and systems are reviewed before implementation.
- For all partners, Wally reviews activity annually to assure partners are in line with SLAs in contracts with Wally.
- SLA review is monitored on a quarterly basis using the Quality Management System reporting to assess compliance with above policy.
- The 3rd Party Assurance process is reviewed annually and updated to include any necessary changes.
- Changes to the 3rd Party Assurance process will also be made on an ad-hoc basis in cases where operational changes require it or if the process is found lacking.