Security and Privacy Concerns
Your Trusted Weave Team
Authentication and Single Sign-On
Physical & Infrastructure Security
Network Security
Continuous Monitoring & DevOps
Backups & Business Continuity
API and Integration
- Export Files
- Pull from Defined Data Fields via API
  - Option 1: Push Integration Built and Maintained by You
  - Option 2: Push Integration Built and Maintained by Trusted Weave Partner

Security & Technology

1. Security and Privacy Concerns

Weave’s information security policies are designed to protect restricted, confidential, or sensitive data. The protection of data in scope is a critical business requirement. Weave’s policies are continually monitored and reviewed by the Weave Security Team to ensure that Weave Accreditation meets or exceeds relevant standards.

Weave bases its security around the NIST Cybersecurity Framework and, specifically, the NIST SP 800-53 controls.

Weave Certifications:

TX-RAMP Level 2
CSA Star Level 1
HECVAT Full

2. Your Trusted Weave Team

All Weave employees and third-party contractors have been thoroughly vetted with background checks and are required to take a Security Awareness training and recertify annually. Weave staff also undergo additional role-based security training. All Weave staff are required to abide by the Rules of Behavior for Internal Users and the Weave Privacy Policy.

3. Authentication and Single Sign-On

Local authentication through the Weave application is secure and SSO is recommended, though not required. Weave supports the following SSO methods:

Google Authentication

4. Physical & Infrastructure Security

Weave is hosted on Amazon AWS, which ensures the physical and environmental security of the Weave data servers. AWS’s data centers are state of the art, utilizing innovative architectural and engineering approaches. Data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building entrances by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means.

5. Network Security

Access control is enforced at the network level using logical segmentation between trusted and untrusted networks, firewalls, security groups, and access control lists.

Data is encrypted both in transit and at rest.

Data in transit or on the move is protected with TLS 1.3 encryption.
Data at rest or in storage is protected with AES-256 encryption.

Weave implements both an Intrusion Detection System and an Intrusion Prevention System at the network level to ensure intelligent threat monitoring and alerting. All logs are aggregated and monitored by the Weave security team.

All endpoints are protected and continually scanned for threats and vulnerabilities. Any vulnerabilities are patched or remediated based on severity.

6. Continuous Monitoring & DevOps

Weave’s Software Development Lifecycle is based on an agile CI/CD pipeline. It includes regular monitoring and testing of networks, code repositories, and third-party development tools. Weave integrates security into its DevOps team, with the security manager integrated into the agile sprint workflow. Every Weave feature undergoes a security review prior to deployment.

The Weave security team collects and reviews audit logs and continuously monitors the Weave Platform to ensure its integrity and availability. Weave remediates any findings, alerts, or vulnerabilities based on urgency and severity.

7. Backups & Business Continuity

Weave conducts weekly full backups and daily incremental backups in multiple Availability Zones within AWS. Weave also has a cold storage site for full redundancy and disaster recovery.

Weave maintains procedures for disaster recovery, contingency planning, and incident response. The Incident Response Plan (IRP) is tested and updated annually. It includes an Incident Response Team from cross-functional departments within Weave.

8. API and Integration

Export Files

Provides a secure method for users to export files containing Weave Accreditation data for use in other applications. This feature is included in your subscription and you can customize mapping to requested fields.

Pull from Defined Data Fields via API

Allows direct programmatic access to specific data fields within Weave Accreditation, enabling external systems to retrieve information on demand.

Provide Request Keys
Pull Data on Demand

Option 1: Push Integration Built and Maintained by You

Your developers build and maintain a push integration, where data is sent automatically via a Weave Accreditation webhook to your designated system endpoint.

Built and maintained by your developers for your systems
Maintained by Weave for compatibility with your systems

Option 2: Push Integration Built and Maintained by Trusted Weave Partner

Weave’s trusted partner is responsible for building and maintaining a push integration that receives data from Weave Accreditation. This option offers greater control over the integration process and data handling on your end.

Custom Quote for each system from Weave partner
Built and maintained by Weave partner for your systems
Maintained by Weave for compatibility with your systems