We use cookies to offer useful features and measure performance to improve your experience. Your preferences can be edited at any time. By clicking “Accept all & close” you agree to the use of all cookies. By clicking “Accept selected”, you agree only to the categories selected below. Find more information in our cookie policy.
Essential cookies
They enable you to move around the website properly. They do not store any personally identifiable information and enable features such as accessing secure areas of the website or remembering what is in your shopping cart. They are mandatory for withings.com to operate.
Analytical cookies
They allow us to collect information about how visitors use our website. For instance, we may see the total number of visits, or which pages visitors go to most often. We use this information to make sure our users find the information they are looking for, help monitor website performance indicators and solve potential bugs.
Social media cookies
These cookies are used by social networking services to track the use of their embedded features. For example, these cookies allow you to share pages from this site with social networks or stream YouTube videos on withings.com.
Marketing cookies
These cookies may be set through our site by our advertising partners. They identify your unique browser and Internet device and may be used to provide anonymized demographic data, build a profile of your interests and display ads relevant to these interests.
Protecting your data is of paramount importance to us and we ensure safety and security every step of the way.
Summary
Withings Security Insurance Plan relates exclusively to Withings' activities with professionals. Please refer to our privacy policy for information on security measures designed to secure individual user data.
Withings is committed to maintaining a secure environment that enables you to use our products and services. Find out how we protect your personal data through compliance with multiple standards (ISO 27001:2017 & HDS).
Certifications & Standards
To factor data privacy into our products and services, we strive for the highest standards of personal data protection.
Certifications
HDS
Health Data Hosting — version 1.1 final - May 2018 for activities 1 to 3 in accordance with the certification reference system provided by ASIP Santé.
Includes all systems, people and processes involved in the design, development, operations, validation and support of applications and services hosted on the Withings Medical Clouds which include the processing or disclosure of personal health data.
The certification referential includes: NF ISO/IEC 27001:2017, ISO/IEC 27018:2014, NF ISO/IEC 20000-1:2011, as well as additional requirements.
Withings provides the service of a hosting provider in accordance with the requirements of the International Organization for Standardization 27001:2017 standards.
Includes all systems, people and processes involved in the design, development, operations, validation and support of applications and services hosted on the Withings Medical Clouds which include the processing or disclosure of personal health data.
General Data Protection Regulation — European Union 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
HIPAA
Health Insurance Portability and Accountability Act of 1996. Standard governing the hosting of personal health data.
Includes all systems, people and processes involved in the design, development, operations, validation and support of applications and services hosted on the Withings Medical Clouds which include the processing or disclosure of personal health data.
We deliver, maintain and manage data protection across our applications,services and products at all stages of their lifecycle.
Secured development
Framework security controls
Withings relies on modern security control techniques to limit exposure to the top 10 OWASP security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.
Agile organization, code review and testing
All development activities are organized using the AGILE method, with the establishment of sprints and prioritization of tasks with the Product Management team. All sprints are historized. Developers will perform unit tests, functional integration tests, and security tests. Features are reviewed by the Security team and are evaluated through peer reviews before deployment.
Software Quality Assurance
The Software Quality Assurance department tests services and applications before moving on to production (manual and automatic tests).
Environments separations and test data
The development and test environments are logically separated from the production environment. No personal production data is used in our development or test environments.
Vulnerabilities management
Code audit
Withings uses third party security tools to analyze all code against major security risks prior to production. Vulnerabilities that may cause security breaches are mandatorily corrected and/or planned in a continuous improvement cycle.
Automatic code testing
The code is automatically tested with predefined test scenarios to ensure that changes do not result in any loss or degradation of security. Tests are performed on virtual machines with a limited lifespan and are completely separated from production.
Third-Party Penetration Testing
In addition to vulnerabilities management, including analysis and testing, Withings employs third party security experts to perform penetration testing on various applications in our product range. Moreover, Withings has opened bug bounty programs with a partner in order to allow ethical hackers to continuously test our systems and report vulnerabilities.
Authentication security
Password policy
Withings requires the use of a strong password and complies with international recommendations in terms of robustness. This policy applies to all users of the Health Mate application.
Two-factor authentication
You can activate 2 Factor Authentication in order to strengthen the security of your account.
Authentication data storage
Withings never displays plaintext authentication data in its applications or services.
API – third application authentication
Withings API uses the OAuth 2.0 method to authenticate third applications. Each application has a unique and robust client id as well as a secret. The connection data is then secured with expiring tokens that the client must regenerate from Withings.
Role-based access controls
The majority of Withings applications and services are subject to access controls based on roles with predefined privileges, allowing controlled use and access to data.
Securing data in transit
All communications over the public network are encrypted with HTTPS/TLS industry standards (TLS 1.2 or higher).
Change management
Categorization of changes
Withings has defined change categories, allowing follow-up adapted to the typology of the change. This allows for strong reactivity, while ensuring that the implications are properly assessed.
Change procedure
Withings has defined a change management procedure dependent on category, which may include: a change request, appointment of a change committee, security risk analysis, planning, implementation of the change, or modification of the continuity or recovery plan.
Infrastructure protection
Since protecting data is part of how we take care of our users, we call upon the best security solutions to protect your data.
Physical data center security
Physical facilities
For B2C activities and B2B activities in Europe, Withings hosts its servers thanks to BSO in data centers located in France. To ensure 24/7 operation and constant availability of services, BSO data centers are equipped with redundant power systems and are subject to environmental controls.
For B2B activities in the US, Withings hosts its servers thanks to GCP in data centers located in the US. To ensure 24/7 operation and constant availability of services, Google data centers are equipped with redundant power systems and are subject to environmental controls.
On site security
BSO’s and GCP data centers are designed with a multi-layered security model that includes custom-designed electronic access cards, alarms, vehicle access control barriers, security fencing, metal detectors, and biometric technologies. Each data center is also equipped with a laser beam intrusion detection system. The data centers are monitored 24 hours a day, 7 days a week using high-resolution indoor and outdoor cameras that can detect and track intruders.
Location of data hosting
Upon request, the client may request to regionalize the processing of its data to an available location of MED·PRO services. Withings respects the client's choice and informs clients if one or more services are not regionalizable.
Networks security
Protection
Withings network is protected by several security services (DMZ, Access Control List, firewalls, anti-malware, TLS, IPSec VPN…).
Architecture
Our network security architecture consists of multiple layers of security, each replicated in multiple availability zones. DMZs are used for areas exposed to the public network. Each layer is protected via firewalls.
Infrastructure Vulnerability Analysis
The analysis of infrastructure security via automated scans provides in-depth information for the rapid identification of non-compliant or potentially vulnerable systems.
Logistical access
Access to the production environment is strictly limited to system administrators. All accesses are controlled and recorded in protected logs.They are automatically analyzed and audited by a security engineer independent of system administrators. System administrators accessing the production platform must use several personal and robust authentication factors.
Backups
Withings has implemented a backup policy for all production systems and environments, including databases, GIT directories, virtual machine disks, and document sharing servers. Backups are regularly executed and tested according to their level of criticality. Backups are then encrypted before the transfer to secure storage. Only system administrators have access to backups.
Events logging
Withings has set up an event logging policy, including system administration logs, that cannot be disabled. Activities on all Withings systems and applications are also logged. The logs are then analyzed by automatic algorithms in order to detect any suspicious or malicious activities.
Security incidents management
A continuous alert system allows for constant monitoring of security incidents and their resolution by system administrators in the shortest possible time. Employees are trained on security incident response processes, including the management of communication channels and escalation paths.
Encryption
Encryption of stored data
Withings uses low-level disk encryption. The encryption will have a robustness of at least AES-256 or equivalent.
Encryption of databases
Information in databases is encrypted according to its classification in the data registry.
Communication encryption
On public networks, all communications with Withings user interfaces and APIs are encrypted using the HTTPS / TLS standard (TLS 1.2 or higher). This ensures that all traffic between the client and Withings is secured in transit.
SSH connections
Withings guarantees SSH connections using only SSH v2 and industry recognized Encryption Ciphers.
VPN connection
Withings guarantees VPN connections using only industry-recognized and robust Encryption Ciphers.
Backups
All backups are encrypted, at least once, before being transmitted to a remote storage area. Where possible, they are also encrypted by the storage solution itself.
Availability plan & continuity
Information on the availability
Withings provides a publicly accessible systemstatus web pagethat includes system availability details, planned maintenance, service incident history and relevant security events.
Redundancy
The entire physical and cloud infrastructure is redundant in order to minimize the risk of downtime and data loss. In particular, the databases are configured with near-instantaneous replication to ensure that, under normal operating conditions, the complete loss of the main node receiving the writings does not result in data loss of more than a few seconds.
Recovery point objective
Withings IT backup policy ensures a daily backup of production databases.
Disaster recovery plan
Withings disaster recovery plan ensures that the production platform can be fully recreated in the event of a total malfunction of the production environment. All code, configurations, and databases are stored in secure locations and are independent of the production environment. Restoration of the complete platform is performed regularly for test purposes.
HR Security
The limited staff that handles data in the Withings Cloud is subject to regular vetting and continuous training on how to mitigate the risks involved in processing personal data. -
Employees management
Background and competency checks
Withings conducts background checks on all new employees in accordance with local laws. These checks are also performed for contractors. Background checks may include technical and general skills, previous employment, and criminal record checks if required.
Confidentiality agreement
All employees must sign non-disclosure and confidentiality agreements. This confidentiality agreement remains valid after the end of the employment contract.
Role and responsibilities definition
Withings ensures that all roles and responsibilities are well defined and understood by the individuals to which they are assigned.
Disciplinary procedure
Withings has put disciplinary procedures in place in the event of a breach of entrusted responsibilities, based on a scale of sanctions defined in the internal regulations.
Security awareness
Security policies
Withings has developed a comprehensive set of security policies covering a wide range of topics. These policies are shared and made available to all employees and subcontractors with access to Withings’ Information Systems.
Information security awareness
All employees undergo security awareness training that is included in the hiring procedure and reviewed annually thereafter. The basic rules and good practices are also recalled on the Withings premises regularly.
Security training
All developers are made aware of the top 10 OWASP security risks through training and best practice guides. Training sessions with external experts are also organized to ensure a deep knowledge and dissemination of the secure code. The security team also provides additional security awareness updates via email, blog posts, and presentations at internal events.
Continuous improvement
As an innovative IT company, we make sure that we are always one step ahead of current data protection standards. This is supported by regular internal and external audits.
Internal audits
Internal audit plan
All processes are audited by internal audit teams or by external service providers.
Management review
Management reviews ensure that the management systematically reviews ISMS, assesses opportunities for improvement, and decides on the measures necessary to ensure the relevance, adequacy, and effectiveness of ISMS.
External audits
Technical audits
In addition to vulnerability management, including analysis and testing, Withings employs third party security experts to perform detailed penetration testing on various applications in our product line. External technical audits are integrated into Withings annual audit Plan.
Compliance certification audit
Withings has embarked on a certification process through an accredited body to ensure that its ISMS complies with international standards recognized by the industry. The proper functioning of the ISMS is therefore assessed annually by an independent trusted third party.