Security

Weave employs industry standard TLS 1.2+ and HTTPS encryption when transferring data between subscribers and Weave's infrastructure. All subscriber data is encrypted at rest using AES-128-bit symmetric encryption keys or better. Weave employs Google's Key Management Service to create and manage encryption keys. You can learn more here and here.

Weave works with independent third parties to conduct regular penetration tests to improve the security of our websites, web applications, application programming interfaces (API) and cloud infrastructure.

Weave's security team conducts regular assessments of our infrastructure and resources. These assessments include identification of code defects, vulnerabilities and missing patches, and potential misconfigurations.

The Weave platform is hosted on Google Cloud Platform (GCP). GCP undergoes regular independent verification of its security, privacy, and compliance controls, including ISO 27001 and SOC2 Type 2 assessments. You can find more information here.

Weave conducts continual security training to help ensure our team members are aware of and prepared for current and emerging threats. All team members complete annual security awareness training and our Security team performs regular phishing exercises.

Weave has established an Incident Response Plan and cross-functional response team to identify and quickly respond to security incidents.

Weave has established a standard process for evaluating and approving vendors, managing vendor relationships, and identifying and managing risk associated with vendors. This process includes steps for conducting vendor due diligence, including assessments of data privacy and data security.

Weave enforces multi-factor authentication on internal systems to provide an extra layer of security.

Weave's products are developed using OWASP Top 10 to guide secure development practices. Systems are regularly scanned for known vulnerabilities. Confirmed vulnerabilities are shared with Weave's Engineering teams for timely remediation.

Weave operates a Bug Bounty Program following Bugcrowd's Vulnerability Rating Taxonomy and rewards findings classified as P3 or greater. If you would like to report a vulnerability, please contact us at [email protected] with a proof of concept, list of tools used, and the output of the tools. Our Security team will work quickly to reproduce each vulnerability to verify its status before taking the steps needed to remedy and issue rewards.

Weave uses GCP's Cloud SQL service. Cloud SQL provides automated backup of all data. Production data backups occur at least every day. These backups allow us to easily restore data in the case of data corruption or loss.

Weave stores all infrastructure-as-code, which means that we are able to bring up complete copies of production environments quickly. In the event of a complete region-wide outage, Weave's Site Reliability Engineering team is able to quickly deploy a duplicate environment in a different GCP region.

Weave is committed to protecting your data, including the Protected Health Information (PHI) of your patients. Weave has been designed with features to support you in complying with HIPAA, while also enabling you to make the most of your communications with patients. You can learn more about compliance with HIPAA while using Weave here.

Weave's Legal team works with other teams across the company to keep personal information private and secure. Weave's Privacy Policy provides information on how Weave collects, stores, uses, and shares personal information. Weave does not use or disclose personal information other than as permitted in our Privacy Policy and other agreements with our subscribers.

Weave leverages GCP's high availability (HA) configurations (e.g., multiple regions, availability zones, load balancers, servers, replica databases) in the event of failure. Data is synchronously replicated to standby instances. If an HA-configured instance becomes unresponsive, GCP automatically switches to a standby instance. Failover and reconnection typically occurs within minutes. All our deployments employ Kubernetes, which allows rapid rollout and rollback of services should deployment errors occur and self-healing in the case of operating errors.