Security
Weave is committed to protecting your data. We are continuously reviewing and improving our security controls, policies and procedures. Our dedicated security team has expertise in security engineering, security operations, incident response, compliance and application security.
Ongoing security initiatives
Data Encryption
Weave employs industry standard TLS 1.2+ and HTTPS encryption when transferring data between subscribers and Weave's infrastructure. All subscriber data is encrypted at rest using AES-128-bit symmetric encryption keys or better. Weave employs Google's Key Management Service to create and manage encryption keys. You can learn more here and here.
Penetration Testing
Weave works with independent third parties to conduct regular penetration tests to improve the security of our websites, web applications, application programming interfaces (API) and cloud infrastructure.
Vulnerability Assessments
Weave's security team conducts regular assessments of our infrastructure and resources. These assessments include identification of code defects, vulnerabilities and missing patches, and potential misconfigurations.
Physical Infrastructure
The Weave platform is hosted on Google Cloud Platform (GCP). GCP undergoes regular independent verification of its security, privacy, and compliance controls, including ISO 27001 and SOC2 Type 2 assessments. You can find more information here.
Security Training
Weave conducts continual security training to help ensure our team members are aware of and prepared for current and emerging threats. All team members complete annual security awareness training and our Security team performs regular phishing exercises.
Incident Response
Weave has established an Incident Response Plan and cross-functional response team to identify and quickly respond to security incidents.
Vendor Risk Management
Weave has established a standard process for evaluating and approving vendors, managing vendor relationships, and identifying and managing risk associated with vendors. This process includes steps for conducting vendor due diligence, including assessments of data privacy and data security.
Multi-factor Authentication
Weave enforces multi-factor authentication on internal systems to provide an extra layer of security.
Software Security
Weave's products are developed using OWASP Top 10 to guide secure development practices. Systems are regularly scanned for known vulnerabilities. Confirmed vulnerabilities are shared with Weave's Engineering teams for timely remediation.
Bug Bounty
Weave operates a Bug Bounty Program following Bugcrowd's Vulnerability Rating Taxonomy and rewards findings classified as P3 or greater. If you would like to report a vulnerability, please contact us at [email protected] with a proof of concept, list of tools used, and the output of the tools. Our Security team will work quickly to reproduce each vulnerability to verify its status before taking the steps needed to remedy and issue rewards.
Business Continuity
Weave uses GCP's Cloud SQL service. Cloud SQL provides automated backup of all data. Production data backups occur at least every day. These backups allow us to easily restore data in the case of data corruption or loss.
Disaster Recovery
Weave stores all infrastructure-as-code, which means that we are able to bring up complete copies of production environments quickly. In the event of a complete region-wide outage, Weave's Site Reliability Engineering team is able to quickly deploy a duplicate environment in a different GCP region.
Compliance with HIPAA
Weave is committed to protecting your data, including the Protected Health Information (PHI) of your patients. Weave has been designed with features to support you in complying with HIPAA, while also enabling you to make the most of your communications with patients. You can learn more about compliance with HIPAA while using Weave here.
Privacy
Weave's Legal team works with other teams across the company to keep personal information private and secure. Weave's Privacy Policy provides information on how Weave collects, stores, uses, and shares personal information. Weave does not use or disclose personal information other than as permitted in our Privacy Policy and other agreements with our subscribers.
High Availability
Weave leverages GCP's high availability (HA) configurations (e.g., multiple regions, availability zones, load balancers, servers, replica databases) in the event of failure. Data is synchronously replicated to standby instances. If an HA-configured instance becomes unresponsive, GCP automatically switches to a standby instance. Failover and reconnection typically occurs within minutes. All our deployments employ Kubernetes, which allows rapid rollout and rollback of services should deployment errors occur and self-healing in the case of operating errors.