// Trust & Security Report

    Google (Fitbit) logo

    Google (Fitbit)

    Fitbit wearable fitness trackers and health monitoring devices, including consumer Fitbit app (now Google Health) and enterprise Fitbit Wellness platform with HIPAA support.

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    HIPAA (with BAA)
    HELD

    Fitbit Wellness will be able to expand integration opportunities with health plans and self-insured employers by its ability to enter into Business Associate Agreements with HIPAA-covered entities. Note: this applies only to the enterprise Fitbit Wellness offering; the consumer Fitbit app is not HIPAA covered.

    Verify on blog.google
    Data Privacy Framework (EU-US, Swiss-US)
    HELD

    Fitbit LLC complies with the EU-U.S. and Swiss-U.S. Data Privacy Frameworks (DPF) and the UK Extension to the EU-U.S. DPF as set forth by the US Department of Commerce.

    Verify on support.google.com
    PSTI (UK Product Security and Telecommunications Infrastructure)
    HELD

    the Products are in conformance with the applicable security requirements in Schedule 1 of The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023.

    Verify on support.google.com
    AU Cyber Security Rules
    HELD

    Google declares that Fitbit Air has been manufactured in compliance with the Cyber Security (Security Standards for Smart Devices) Rules 2025.

    Verify on support.google.com
    > Show 4 unconfirmed / not-held certifications
    SOC 2 Type 2
    NOT CONFIRMED

    No public evidence of SOC 2 certification for Fitbit consumer app or Google Health. Google Cloud and Google Workspace hold SOC 2, but these do not apply to consumer Fitbit.

    source: support.google.com
    ISO 27001
    NOT CONFIRMED

    No ISO 27001 mentioned in Fitbit privacy policy or security documentation for consumer app. Google Cloud and Google Workspace hold ISO 27001, but these do not apply to consumer Fitbit.

    source: support.google.com
    ISO 27017 (Cloud Security)
    NOT CONFIRMED

    Not applicable to consumer Fitbit; applies only to Google Cloud services.

    source: support.google.com
    GDPR Compliance
    NOT CONFIRMED

    While Fitbit claims GDPR compliance, three GDPR complaints were filed by noyb (Max Schrems' organization) in August 2023 in Austria, Netherlands, and Italy alleging illegal data transfers to the US without adequate legal mechanism and forced consent without meaningful withdrawal option.

    source: noyb.eu

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    United States and other countries (no specific data center locations disclosed)

    Fitbit does NOT automatically use customer health data for AI model training. Users must explicitly opt in to participate in research and development programs where their data can be used to train Google's generative models. Conversation data from Google Health Coach may undergo human review if user provides feedback.

    // Security controls

    Encryption in Transit

    Transport Layer Security (TLS) encryption used for data transmission between devices and servers

    support.google.com

    Payment Data Security

    Card details encrypted and tokenized; tokens sent back to device instead of storing raw payment information

    support.google.com

    Security Controls

    Combination of technical, administrative, and physical controls to maintain data security

    support.google.com

    Multi-Factor Authentication

    Two-factor authentication available for account security

    support.google.com

    Security Updates

    Fitbit devices receive security updates for at least 2 years after the applicable device is last sold

    support.google.com

    Account Monitoring

    Users can view which devices are logged into accounts and revoke access to unrecognized devices

    support.google.com

    // Products & data scope

    Fitbit Fitness Trackers (Consumer Wearables)Health & Wellness / Wearables

    data: Steps, heart rate, sleep data, location, food/weight logs, female health tracking. NOT HIPAA compliant.

    Personal health data not used for Google Ads. Data transfers to US and other countries. Opt-in for research use only.

    Fitbit Wellness (Enterprise)Corporate Wellness / Health Platform

    data: Same as consumer Fitbit, but with HIPAA-compliant controls and BAA support

    Only variant with HIPAA BAA. Designed for corporate wellness programs, health plans, and self-insured employers. Covers basic fitness metrics only in HIPAA mode.

    Google Health (formerly Fitbit App)Health & Wellness / Mobile App

    data: Consolidated health tracking app integrating Fitbit data with Google Health features

    Replaces standalone Fitbit app. Not HIPAA compliant. Supports opt-in research participation.

    // What to watch

    • CRITICAL: Three GDPR complaints filed August 2023 by noyb alleging illegal data transfers to US and forced consent. Potential fines up to €11.28 billion if found guilty.
    • CRITICAL: Consumer Fitbit is NOT HIPAA compliant. Only enterprise Fitbit Wellness platform offers HIPAA/BAA. Over-claim risk if marketing suggests consumer app is HIPAA-compliant.
    • HIGH: No SOC 2 or ISO 27001 certifications for consumer Fitbit app, despite being owned by Google which holds these for Cloud/Workspace.
    • MODERATE: Limited GDPR consent withdrawal - users must delete entire accounts to opt out of data transfers, losing all health data. GDPR requires withdrawal without account deletion.
    • MODERATE: Data transfers to US lack clear legal mechanism post-Schrems II ruling. Reliance on Data Privacy Framework is disputed by privacy advocates.
    • MODERATE: 2021 data leak by third-party GetHealth exposed 61M fitness records including Fitbit data (unsecured database with names, birthdates, weight, health data).
    • LOW: Account takeover risk if 2FA not enabled; security updates only guaranteed for 2 years.

    // At a glance

    Pricing model

    Freemium (free consumer app; premium features; enterprise wellness contracts)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Google (Fitbit)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    support.google.com

    > Browse all vendor trust reports