Security & Privacy

Program Overview

Olio does not access customer data, but it does store ePHI, PII, and other data entered into the system by customers. 

Olio does not allow any public access to the headquarters facility. All employees must obtain access to the building via a key fob. There is no data center on-site at Olio since all data is stored in the AWS cloud. 

Olio uses a third-party provider Aptible, a HITRUST-certified organization, for support and maintenance of all cloud networking devices and infrastructure. Aptible also has a security page and SOC 2 report that can be provided upon request. Aptible does not have any access to ePHI.

Olio partners with Pondurance to provide security consulting, annual HIPAA/NIST risk assessment, vulnerability scanning, dynamic application security testing, and threat hunting and response. 

Olio is currently in process of becoming HITRUST certified and has partnered with A-LIGN to conduct the assessment.

Control Details

  • One or more annual third party audits
  • HIPAA compliant
  • Annual third party dynamic application security testing
  • Monthly vulnerability scans
  • Cyber Insurance
  • Formal Mobile Device Management program
  • Business Continuity and Disaster Recovery Plans tested annually
  • Security Incident Response Plan tested annually
  • Annual security awareness training and acknowledgement of security policies
  • OWASP Top 10 training for developers
  • Ongoing phishing testing
  • Endpoint protection on all devices: encryption, firewalls, etc.
  • Access management processes with role based access
  • All data is encrypted at rest using AES 256
  • All data in transit is encrypted using TLS1.2 at a minimum
  • Vendor management process and controls
  • Authentication controls: SSO, MFA
  • Change control processes and version control
  • Audit logging and monitoring by a 24/7/365 SOC
  • Privacy Policy

Olio has a security whitepaper available upon request.

Questions or Issues

If you believe you have found a security vulnerability in Olio or have any other security or privacy concerns, please email  

VP of Security and Compliance
Nicole Sigler

Chief Technical Officer
Sean Lavies