For B2C activities and B2B activities in Europe, Withings hosts its servers thanks to BSO in data centers located in France. To ensure 24/7 operation and constant availability of services, BSO data centers are equipped with redundant power systems and are subject to environmental controls.

For B2B activities in the US, Withings hosts its servers thanks to GCP in data centers located in the US. To ensure 24/7 operation and constant availability of services, Google data centers are equipped with redundant power systems and are subject to environmental controls.

BSO’s and GCP data centers are designed with a multi-layered security model that includes custom-designed electronic access cards, alarms, vehicle access control barriers, security fencing, metal detectors, and biometric technologies. Each data center is also equipped with a laser beam intrusion detection system. The data centers are monitored 24 hours a day, 7 days a week using high-resolution indoor and outdoor cameras that can detect and track intruders.

Upon request, the client may request to regionalize the processing of its data to an available location of MED·PRO services. Withings respects the client's choice and informs clients if one or more services are not regionalizable.

Withings network is protected by several security services (DMZ, Access Control List, firewalls, anti-malware, TLS, IPSec VPN…).

Our network security architecture consists of multiple layers of security, each replicated in multiple availability zones. DMZs are used for areas exposed to the public network. Each layer is protected via firewalls.

The analysis of infrastructure security via automated scans provides in-depth information for the rapid identification of non-compliant or potentially vulnerable systems.

Access to the production environment is strictly limited to system administrators. All accesses are controlled and recorded in protected logs.They are automatically analyzed and audited by a security engineer independent of system administrators. System administrators accessing the production platform must use several personal and robust authentication factors.

Withings has implemented a backup policy for all production systems and environments, including databases, GIT directories, virtual machine disks, and document sharing servers. Backups are regularly executed and tested according to their level of criticality. Backups are then encrypted before the transfer to secure storage. Only system administrators have access to backups.

Withings has set up an event logging policy, including system administration logs, that cannot be disabled. Activities on all Withings systems and applications are also logged. The logs are then analyzed by automatic algorithms in order to detect any suspicious or malicious activities.

A continuous alert system allows for constant monitoring of security incidents and their resolution by system administrators in the shortest possible time. Employees are trained on security incident response processes, including the management of communication channels and escalation paths.

Withings uses low-level disk encryption. The encryption will have a robustness of at least AES-256 or equivalent.

On public networks, all communications with Withings user interfaces and APIs are encrypted using the HTTPS / TLS standard (TLS 1.2 or higher). This ensures that all traffic between the client and Withings is secured in transit.

All backups are encrypted, at least once, before being transmitted to a remote storage area. Where possible, they are also encrypted by the storage solution itself.

Withings provides a publicly accessible system status web page that includes system availability details, planned maintenance, service incident history and relevant security events.

Withings IT backup policy ensures a daily backup of production databases.