Back to Home

Security at Weight Loss Projection Lab

Enterprise-grade security to protect your most sensitive health information

Last updated: December 27, 2025

Your Data is Safe With Us

We employ bank-level encryption, undergo regular third-party security audits, and maintain strict HIPAA compliance to ensure your health data remains private and secure.

πŸ”’ HIPAA Compliant
βœ“ SOC 2 Type II
βœ“ ISO 27001
πŸ” AES-256 Encryption

Security Overview

At Weight Loss Projection Lab, security is not an afterthoughtβ€”it's built into every layer of our platform. We understand that you're trusting us with your most sensitive health information, and we take that responsibility seriously.

End-to-End Encryption

All data encrypted in transit and at rest using military-grade encryption

HIPAA Compliance

Full compliance with healthcare privacy regulations and standards

Regular Audits

Quarterly security audits and annual penetration testing by experts

Data Encryption

πŸ” Encryption at Rest

All stored data is encrypted using AES-256 encryption, the same standard used by banks and government agencies.

  • Database encryption with Google Cloud KMS
  • File storage encryption for meal photos and documents
  • Encrypted backups with separate encryption keys
  • Hardware security modules (HSM) for key management

🌐 Encryption in Transit

All data transmitted between your device and our servers is encrypted using TLS 1.3, the latest and most secure protocol.

  • TLS 1.3 with perfect forward secrecy
  • HTTPS-only connections (HSTS enforced)
  • Certificate pinning in mobile apps
  • Secure WebSocket connections for real-time features

πŸ”‘ Key Management

Encryption keys are managed using industry best practices:

  • Regular key rotation (every 90 days)
  • Separate keys for different data types
  • Multi-factor authentication for key access
  • Audit logging of all key operations

Infrastructure Security

Google Cloud

Google Cloud Platform

Our infrastructure is hosted on Google Cloud Platform (GCP), which provides enterprise-grade security and is HIPAA compliant.

βœ“ISO 27001 certified
βœ“SOC 2/3 compliant
βœ“HIPAA BAA signed
βœ“99.99% uptime SLA

πŸ›‘οΈNetwork Security

  • β€’DDoS protection with Cloud Armor
  • β€’Web Application Firewall (WAF)
  • β€’Private VPC with network segmentation
  • β€’Intrusion detection and prevention (IDS/IPS)

πŸ–₯️Server Security

  • β€’Automated security patching
  • β€’Container security scanning
  • β€’Minimal attack surface (least privilege)
  • β€’Hardened operating systems

πŸ’ΎDatabase Security

  • β€’Encrypted connections only
  • β€’IP whitelisting and VPC peering
  • β€’Automated backups every 6 hours
  • β€’Point-in-time recovery

πŸ”„Disaster Recovery

  • β€’Multi-region redundancy
  • β€’Automated failover systems
  • β€’Regular disaster recovery drills
  • β€’RTO: 4 hours, RPO: 1 hour

Application Security

Secure Development Lifecycle

Code Security

  • β€’Automated vulnerability scanning (Snyk, SonarQube)
  • β€’Security-focused code reviews
  • β€’Dependency scanning and updates
  • β€’Static application security testing (SAST)

Input Validation

  • β€’SQL injection prevention
  • β€’XSS (Cross-Site Scripting) protection
  • β€’CSRF token validation
  • β€’Request rate limiting and throttling

API Security

  • βœ“OAuth 2.0 and JWT authentication
  • βœ“API key rotation and expiration
  • βœ“Rate limiting per endpoint
  • βœ“Request signing and validation
  • βœ“API versioning and deprecation
  • βœ“Comprehensive audit logging

Access Control & Authentication

πŸ”User Authentication

  • βœ“Multi-factor authentication (MFA)
  • βœ“Biometric authentication (Face ID, Touch ID)
  • βœ“Strong password requirements
  • βœ“Password breach monitoring
  • βœ“Session timeout after inactivity
  • βœ“Device fingerprinting

πŸ‘₯Role-Based Access

  • βœ“Principle of least privilege
  • βœ“Granular permission controls
  • βœ“Separate admin and user roles
  • βœ“Family member access controls
  • βœ“Provider access management
  • βœ“Access revocation workflows

Employee Access

Our employees have strictly limited access to customer data:

  • β€’Zero standing access - temporary access granted only when needed
  • β€’All access requests logged and reviewed
  • β€’Mandatory HIPAA and security training
  • β€’Background checks for all employees

Security Monitoring & Incident Response

24/7 Security Monitoring

  • β€’Real-time threat detection using AI/ML anomaly detection
  • β€’Security Information and Event Management (SIEM)
  • β€’Automated alerting for suspicious activities
  • β€’Log aggregation and analysis

Incident Response

We have a comprehensive incident response plan that includes:

Response Team

  • β€’Dedicated security incident response team
  • β€’On-call rotation 24/7/365
  • β€’External security consultants on retainer

Response Process

  • β€’Detection & triage within 15 minutes
  • β€’Containment within 1 hour
  • β€’User notification within 72 hours (if required)

Breach Notification

In the unlikely event of a data breach affecting your personal information, we will notify you within 72 hours as required by HIPAA and GDPR. We will provide clear information about what happened, what data was affected, and what steps we're taking to prevent future incidents.

Compliance & Certifications

H

HIPAA Compliance

Full compliance with the Health Insurance Portability and Accountability Act

  • βœ“Privacy Rule compliance
  • βœ“Security Rule compliance
  • βœ“Breach Notification Rule
  • βœ“Business Associate Agreements
SOC 2

SOC 2 Type II

Audited annually by independent third parties

  • βœ“Security controls
  • βœ“Availability controls
  • βœ“Confidentiality controls
  • βœ“Processing integrity
ISO

ISO 27001

International standard for information security management

  • βœ“Information Security Management System (ISMS)
  • βœ“Risk assessment framework
  • βœ“Annual certification audits
GDPR

GDPR Compliant

General Data Protection Regulation compliance for EU users

  • βœ“Data protection by design
  • βœ“Right to erasure (Right to be forgotten)
  • βœ“Data portability

Third-Party Security

We carefully vet all third-party services and ensure they meet our security standards:

Vendor Security Requirements

  • β€’SOC 2 Type II certification required
  • β€’HIPAA Business Associate Agreements (BAAs)
  • β€’Annual security questionnaires
  • β€’Regular security audits
  • β€’Data Processing Agreements (DPAs)
  • β€’Ongoing monitoring and review

Key Third-Party Partners

Google Cloud Platform: Infrastructure & hosting
Firebase: Authentication & database
Stripe: Payment processing (PCI DSS Level 1)
OpenAI/Google: AI services (BAA signed)

Security Best Practices for Users

While we implement robust security measures, you can help protect your account:

Do:

  • βœ“Enable multi-factor authentication (MFA)
  • βœ“Use a strong, unique password
  • βœ“Enable biometric authentication
  • βœ“Review account activity regularly
  • βœ“Log out from shared devices
  • βœ“Keep your app updated

Don't:

  • βœ—Share your password with anyone
  • βœ—Use public Wi-Fi without VPN
  • βœ—Click suspicious links in emails
  • βœ—Reuse passwords from other sites
  • βœ—Disable security features
  • βœ—Ignore security alerts

Vulnerability Disclosure Program

We welcome responsible disclosure of security vulnerabilities. If you believe you've found a security issue, please report it to us:

Email:security@weightlossproglab.com
PGP Key:Download our PGP key
Response:We commit to responding within 48 hours

Responsible Disclosure

Please do not publicly disclose the vulnerability until we've had a chance to address it. We appreciate security researchers and offer recognition (and rewards for significant findings) through our bug bounty program.

Security Questions?

If you have questions about our security practices or would like more information:

Security Team:security@weightlossproglab.com
Trust Center:View our Trust Center
Status Page:status.weightlossproglab.com
Privacy PolicyTerms of ServiceHIPAA ComplianceAccessibility
U

User

Main

Health

Tracking

Food

Engage