Withings is committed to maintaining a secure environment that enables you to use our products and services. We protect your personal data through compliance with multiple standards (ISO 27001:2022, ISO 27701:2019 & HDS).
To factor data privacy into our products and services, we strive for the highest standards of personal data protection.
HDS
Health Data Hosting — version 1.1 final - May 2018 for activities 1 to 6 in accordance with the certification reference system provided by ASIP Santé.
Includes all systems, people and processes involved in the design, development, operations, validation and support of applications and services hosted by Withings which include the processing or disclosure of personal health data.
The certification referential includes: NF ISO/IEC 27001:2017, ISO/IEC 27018:2014, NF ISO/IEC 20000-1:2011, as well as additional requirements.
DownloadISO 27001:2022
Withings provides the service of a hosting provider in accordance with the requirements of the International Organization for Standardization 27001:2022 standards.
It includes all systems, people and processes involved in the design, development, operations, validation and support of applications and services hosted by Withings and especially the processing of personal health data.
DownloadISO 27701:2019
Withings demonstrates its capacity to follow the state of the art in terms of Privacy protection worldwide (such as GDPR). In order to do so, internal processes are continuously audited to ensure that Privacy protection is taken into account at each step of activities (internal or external) conducted by Withings.
DownloadGDPR
General Data Protection Regulation — European Union 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
HIPAA
Health Insurance Portability and Accountability Act of 1996. Standard governing the hosting of personal health data.
Includes all systems, people and processes involved in the design, development, operations, validation and support of applications and services hosted on the Withings Medical Clouds which include the processing or disclosure of personal health data.
DownloadWe deliver, maintain and manage data protection across our applications,services and products at all stages of their lifecycle.
Framework security controls
Withings relies on modern security control techniques to limit exposure to the top 10 OWASP security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.
Agile organization, code review and testing
All development activities are organized using the AGILE method, with the establishment of sprints and prioritization of tasks with the Product Management team. All sprints are historized. Developers will perform unit tests, functional integration tests, and security tests. Features are reviewed by the Security team and are evaluated through peer reviews before deployment.
Software Quality Assurance
The Software Quality Assurance department tests services and applications before moving on to production (manual and automatic tests).
Environments separations and test data
The development and test environments are logically separated from the production environment. No personal production data is used in our development or test environments.
Code audit
Withings uses third party security tools to analyze all code against major security risks prior to production. Vulnerabilities that may cause security breaches are mandatorily corrected and/or planned in a continuous improvement cycle.
Automatic code testing
The code is automatically tested with predefined test scenarios to ensure that changes do not result in any loss or degradation of security. Tests are performed on virtual machines with a limited lifespan and are completely separated from production.
Third-Party Penetration Testing
In addition to vulnerabilities management, including analysis and testing, Withings employs third party security experts to perform penetration testing on various applications in our product range. Moreover, Withings has opened bug bounty programs with a partner in order to allow ethical hackers to continuously test our systems and report vulnerabilities.
Password policy
Withings requires the use of a strong password and complies with international recommendations in terms of robustness. This policy applies to all users of the Withings application.
Two-factor authentication
Authentication data storage
Withings never displays plaintext authentication data in its applications or services.
API – third application authentication
Withings API uses the OAuth 2.0 method to authenticate third applications. Each application has a unique and robust client id as well as a secret. The connection data is then secured with expiring tokens that the client must regenerate from Withings.
The majority of Withings applications and services are subject to access controls based on roles with predefined privileges, allowing controlled use and access to data.
All communications over the public network are encrypted with HTTPS/TLS industry standards (TLS 1.2 or higher).
Categorization of changes
Withings has defined change categories, allowing follow-up adapted to the typology of the change. This allows for strong reactivity, while ensuring that the implications are properly assessed.
Change procedure
Withings has defined a change management procedure dependent on category, which may include: a change request, appointment of a change committee, security risk analysis, planning, implementation of the change, or modification of the continuity or recovery plan.
Since protection of data is part of how we take care of our users, we call upon the best security solutions to protect personal data.
Physical facilities
For B2C activities and B2B activities in Europe, Withings hosts its servers thanks to BSO in data centers located in France. To ensure 24/7 operation and constant availability of services, BSO data centers are equipped with redundant power systems and are subject to environmental controls.
For B2B activities in the US, Withings hosts its servers thanks to GCP in data centers located in the US. To ensure 24/7 operation and constant availability of services, Google data centers are equipped with redundant power systems and are subject to environmental controls.
On site security
BSO’s and GCP data centers are designed with a multi-layered security model that includes custom-designed electronic access cards, alarms, vehicle access control barriers, security fencing, metal detectors, and biometric technologies. Each data center is also equipped with a laser beam intrusion detection system. The data centers are monitored 24 hours a day, 7 days a week using high-resolution indoor and outdoor cameras that can detect and track intruders.
Location of data hosting
Upon request, the client may request to regionalize the processing of its data to an available location of MED·PRO services. Withings respects the client's choice and informs clients if one or more services are not regionalizable.
Protection
Withings network is protected by several security services (DMZ, Access Control List, firewalls, anti-malware, TLS, IPSec VPN…).
Architecture
Our network security architecture consists of multiple layers of security, each replicated in multiple availability zones. DMZs are used for areas exposed to the public network. Each layer is protected via firewalls.
Infrastructure Vulnerability Analysis
The analysis of infrastructure security via automated scans provides in-depth information for the rapid identification of non-compliant or potentially vulnerable systems.
Logistical access
Access to the production environment is strictly limited to system administrators. All accesses are controlled and recorded in protected logs.They are automatically analyzed and audited by a security engineer independent of system administrators. System administrators accessing the production platform must use several personal and robust authentication factors.
Backups
Withings has implemented a backup policy for all production systems and environments, including databases, GIT directories, virtual machine disks, and document sharing servers. Backups are regularly executed and tested according to their level of criticality. Backups are then encrypted before the transfer to secure storage. Only system administrators have access to backups.
Events logging
Withings has set up an event logging policy, including system administration logs, that cannot be disabled. Activities on all Withings systems and applications are also logged. The logs are then analyzed by automatic algorithms in order to detect any suspicious or malicious activities.
Security incidents management
A continuous alert system allows for constant monitoring of security incidents and their resolution by system administrators in the shortest possible time. Employees are trained on security incident response processes, including the management of communication channels and escalation paths.
Encryption of stored data
Withings uses low-level disk encryption. The encryption will have a robustness of at least AES-256 or equivalent.
Encryption of databases
Information in databases is encrypted according to its classification in the data registry.
Communication encryption
On public networks, all communications with Withings user interfaces and APIs are encrypted using the HTTPS / TLS standard (TLS 1.2 or higher). This ensures that all traffic between the client and Withings is secured in transit.
SSH connections
Withings guarantees SSH connections using only SSH v2 and industry recognized Encryption Ciphers.
VPN connection
Withings guarantees VPN connections using only industry-recognized and robust Encryption Ciphers.
Backups
All backups are encrypted, at least once, before being transmitted to a remote storage area. Where possible, they are also encrypted by the storage solution itself.
Information on the availability
Withings provides a publicly accessible system status web page that includes system availability details, planned maintenance, service incident history and relevant security events.
Redundancy
The entire physical and cloud infrastructure is redundant in order to minimize the risk of downtime and data loss. In particular, the databases are configured with near-instantaneous replication to ensure that, under normal operating conditions, the complete loss of the main node receiving the writings does not result in data loss of more than a few seconds.
Recovery point objective
Withings IT backup policy ensures a daily backup of production databases.
Disaster recovery plan
Withings disaster recovery plan ensures that the production platform can be fully recreated in the event of a total malfunction of the production environment. All code, configurations, and databases are stored in secure locations and are independent of the production environment. Restoration of the complete platform is performed regularly for test purposes.
The limited staff that handles data in the Withings Cloud is subject to regular vetting and continuous training on how to mitigate the risks involved in processing personal data. -
Background and competency checks
Withings conducts background checks on all new employees in accordance with local laws. These checks are also performed for contractors. Background checks may include technical and general skills, previous employment, and criminal record checks if required.
Confidentiality agreement
All employees must sign non-disclosure and confidentiality agreements. This confidentiality agreement remains valid after the end of the employment contract.
Role and responsibilities definition
Withings ensures that all roles and responsibilities are well defined and understood by the individuals to which they are assigned.
Disciplinary procedure
Withings has put disciplinary procedures in place in the event of a breach of entrusted responsibilities, based on a scale of sanctions defined in the internal regulations.
Security policies
Withings has developed a comprehensive set of security policies covering a wide range of topics. These policies are shared and made available to all employees and subcontractors with access to Withings’ Information Systems.
Information security awareness
All employees undergo security awareness training that is included in the hiring procedure and reviewed annually thereafter. The basic rules and good practices are also recalled on the Withings premises regularly.
Security training
All developers are made aware of the top 10 OWASP security risks through training and best practice guides. Training sessions with external experts are also organized to ensure a deep knowledge and dissemination of the secure code. The security team also provides additional security awareness updates via email, blog posts, and presentations at internal events.
As an innovative IoT company, we make sure that we are always one step ahead of current data protection standards. This is supported by regular internal and external audits.
Internal audit plan
All processes are audited by internal audit teams or by external service providers.
Management review
Management reviews ensure that the management systematically reviews ISMS, assesses opportunities for improvement, and decides on the measures necessary to ensure the relevance, adequacy, and effectiveness of ISMS.
Technical audits
In addition to vulnerability management, including analysis and testing, Withings employs third party security experts to perform detailed penetration testing on various applications in our product line. External technical audits are integrated into Withings annual audit Plan.
Compliance certification audit
Withings has embarked on a certification process through an accredited body to ensure that its ISMS complies with international standards recognized by the industry. The proper functioning of the ISMS is therefore assessed annually by an independent trusted third party.
on your first order by registering
By registering, you agree to receive advertising e-mails from Withings. However, if you change your mind, you can unsubscribe at any time. *The discount is valid for any purchase (except BPM Vision) of at least €100 for 30 days after reception of the code. Only valid on withings.com, and while supplies last. This offer is only valid for first-time purchases. These offers cannot be combined.
