Weave employs multiple layers of security to protect your data.
At the organization layer, Weave has a dedicated security team, with a Chief Information Security Officer leading a team with security compliance, security engineering, security operations, and application security expertise to influence the secure handling of your data, and secure development and operation of Weave’s products. These team members monitor for incidents, events, and insecure configurations that may lead to the compromise of Weave’s products or your data.
At the physical and infrastructure layers, Weave’s products are hosted on Google Cloud Platform (GCP) and Amazon Web Services (AWS) -- both of which have favorable compliance reports including an ISO 27001 certification and SOC2 Type 2 report, demonstrating their security practices adhere to industry best practices.
At the data layer, your data is encrypted in transit and at rest in backend databases and object stores using industry accepted encryption protocols (TLS 1.2 or higher; AES-128 or higher) with known strong ciphers. Patient images, voicemails, and call recordings are encrypted with unique encryption keys for each subscriber. Encryption keys are stored only in memory by our services, and are encrypted on disk behind our key management system.
At the systems and software layer, Weave’s products are developed using OWASP Top 10 to guide the secure development practices. Systems are scanned for known vulnerabilities, and vulnerabilities are provided to the appropriate internal engineering teams to remediate in a timely manner commensurate with the severity of the vulnerability. Code development uses Continuous Integration (CI) and requires code change peer reviews and approvals prior to code being merged into the main code branch.
We welcome any security researchers to report any security vulnerabilities in Weave’s products or systems to firstname.lastname@example.org. We rate these findings based on Bugcrowd’s rating taxonomy and look forward to reviewing anything you find!