// Trust & Security Report

    Whoop, Inc. logo

    Whoop, Inc.

    Health and Fitness Wearable + AI Coaching (WHOOP Coach, WHOOP Advanced Labs, Corporate Wellness)

    Certifications held

    4

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    No mention of SOC 2 found in WHOOP's privacy policy, security page, or any public documentation reviewed, and an independent UpGuard external assessment lists no SOC 2 attestation. Absence of a public claim does not by itself prove WHOOP lacks an attestation; enterprise buyers should request the report directly.

    Verify on whoop.com
    ISO 27001
    HELD

    No mention of ISO 27001 found in WHOOP's privacy policy, security page, or any public documentation reviewed, and an independent UpGuard external assessment lists no ISO 27001 certification. Absence of a public claim does not by itself prove WHOOP lacks one.

    Verify on whoop.com
    GDPR (Regulatory Compliance Claimed)
    HELD

    We continually evaluate our privacy practices to align them with applicable privacy laws including the California Consumer Privacy Act ('CCPA') and the General Data Protection Regulation ('GDPR').

    Verify on whoop.com
    CCPA (Regulatory Compliance Claimed)
    HELD

    We continually evaluate our privacy practices to align them with applicable privacy laws including the California Consumer Privacy Act ('CCPA') and the General Data Protection Regulation ('GDPR').

    Verify on whoop.com
    > Show 1 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    WHOOP is not a covered entity or business associate under HIPAA and is not subject to HIPAA privacy or security rules. Consumer wearable devices fall outside HIPAA coverage. WHOOP instead relies on CCPA, state Consumer Health Data laws, and its own privacy principles.

    source: athletechnews.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not stated

    Data region

    United States. The full privacy policy states: 'To provide the Services, we will process your Personal Data in the United States, where WHOOP is based.' No EU or regional data residency option is mentioned in public documentation.

    WHOOP Coach is powered by OpenAI. Per the full privacy policy: 'We have ensured that our LLM partner has a Zero-Retention/Zero Training Policy with respect to your WHOOP metrics.' WHOOP shares only de-identified WHOOP metrics with OpenAI. Conversations with WHOOP Coach are retained by WHOOP (not stored by third parties) for service continuity. Separately, WHOOP uses aggregated and de-identified wellness data (no longer personally identifiable) for internal human performance research. Individual identifiable data is never used for AI model training.

    // Security controls

    Bug Bounty Program

    Active HackerOne program (public). Average bounty $3,000. Response SLA: 5 business days first response, 10 business days triage. 90-day vulnerability disclosure deadline (compressed to 7 days for actively exploited 0-days). Reporters protected from legal action for good-faith submissions.

    hackerone.com

    Vulnerability Disclosure Policy

    90-day coordinated disclosure policy. WHOOP states: 'WHOOP will not engage in legal action against individuals who in good faith submit vulnerability reports through the methods listed above.'

    whoop.com

    SSL/TLS

    SHA-256 encryption enforced. All HTTP requests redirect to HTTPS. HSTS enabled. Valid, trusted certificate authority. Strong Diffie-Hellman key exchange.

    upguard.com

    Email Security

    SPF and DMARC authentication implemented.

    upguard.com

    External Security Rating

    UpGuard: Grade A / 805 out of 950 (as of June 2026). UpGuard noted: potential Next.js vulnerabilities, infostealer malware detected on associated systems, CSP misconfiguration (unsafe-eval), X-Frame-Options not properly configured, missing DNSSEC/CAA.

    upguard.com

    Data Access Controls and Logging

    WHOOP employees are prohibited from accessing member data without a legitimate business need. Access logs are maintained and actively monitored for anomalies. Quote: 'We maintain a log that tells us who has accessed member personal data and when. We actively evaluate data access logs and investigate any anomalies for data access.'

    whoop.com

    Penetration Testing

    Not publicly disclosed.

    Data Sales Policy

    Explicit commitment: 'We never sell our members' personal data. This is our promise.' Consumer health data is explicitly excluded from any third-party advertising use.

    whoop.com

    // Products & data scope

    WHOOP OneConsumer Health Wearable (Membership Tier)

    data: Heart rate, HRV, sleep duration, respiratory rate, skin temperature, blood oxygen saturation, activity type and duration. 24/7 biometric monitoring via WHOOP 5.0 device.

    Entry tier at approximately $199/yr. Personal consumer use. No B2B/enterprise compliance scope.

    WHOOP PeakConsumer Health Wearable (Membership Tier)

    data: All WHOOP One data plus Healthspan and pace of aging metrics, Health Monitor with health alerts, real-time stress monitoring.

    Mid tier, region-dependent pricing (approximately $239/yr in the US, EUR 264/yr in the EU). WHOOP 5.0 device.

    WHOOP LifeConsumer Health and Medical-Grade Wearable (Membership Tier)

    data: All Peak data plus blood pressure insights (beta), ECG readings, irregular heart rhythm notifications. Uses WHOOP MG device.

    Top tier, region-dependent pricing (approximately $359/yr in the US, EUR 399/yr in the EU). Some features (ECG, IHRN) are medically regulated and region-restricted. The FDA issued a July 2025 warning letter over Blood Pressure Insights marketing; WHOOP modified the feature and the FDA closed the warning letter in 2026 with no enforcement action. 'Medical-grade' advertising claims remain the subject of consumer litigation (Rowe v. Whoop).

    WHOOP Unite (Corporate Wellness / Enterprise)Enterprise B2B Health Wellness

    data: Employers receive an administrative dashboard with aggregated and de-identified organizational analytics only, on an opt-in basis. Individual member data is not accessible at the administrator level without that member's consent.

    WHOOP Unite is WHOOP's dedicated enterprise division (distinct from the in-app 'WHOOP Teams' social/sharing feature). Adopted by 200+ organizations including the UK NHS, US Forest Service, and Hitachi Vantara, which indicates meaningful enterprise procurement vetting. No SOC 2 or DPA is confirmed in public documentation, however. Procurement teams should still request a DPA and a completed security questionnaire before deployment.

    WHOOP Advanced LabsConsumer Health Lab Testing

    data: Biomarkers, lab samples, lab results, clinical notes. Classified as Consumer Health Data under applicable US state laws.

    US-only service. Requires active WHOOP membership. Age 18+, not available in AZ, HI, WY, ND, SD. Partners with independently licensed third-party labs.

    WHOOP CoachAI-Powered Health Coaching

    data: De-identified WHOOP biometric metrics shared with OpenAI LLM. Conversation history retained by WHOOP (not by OpenAI).

    Powered by OpenAI under a Zero-Retention/Zero Training Policy. OpenAI does not use WHOOP member data to train models. Conversation text is retained by WHOOP for service continuity.

    // What to watch

    • LITIGATION RISK: Lomeli v. Whoop, Inc. (filed August 2025, N.D. Cal.) alleges WHOOP embedded Segment (Twilio) tracker in its mobile app and transmitted sensitive health data including heart rate, blood oxygen, and sleep data to third parties without user consent or knowledge.
    • LITIGATION RISK: Rowe v. Whoop (filed November 2025, N.D. Cal.) alleges false advertising of blood pressure features as 'medical-grade' following the July 2025 FDA warning letter. Context for balance: the FDA closed that warning letter in 2026 after WHOOP modified the feature, electing not to enforce device requirements; the civil suit remains pending.
    • LITIGATION RISK: Sanderson v. Whoop (class certified March 2025) alleges violation of California Automatic Renewal Law.
    • CERTIFICATION GAP: No SOC2, ISO27001, or equivalent enterprise security certification publicly claimed or evidenced. For a company handling intimate biometric health data at scale, this gap is notable and should be verified directly with WHOOP before enterprise procurement.
    • DPA: Data Processing Agreement availability for enterprise/corporate wellness customers not confirmed in public documentation.
    • LLM SUPPLY CHAIN: WHOOP Coach LLM partner is OpenAI (confirmed). Zero-Retention/Zero Training Policy contractually in place per WHOOP's public policy. Absence of direct audit evidence is a residual risk.
    • DATA REGION: All data processed in the United States. No EU/EEA data residency. EU organizations must assess cross-border transfer lawfulness under GDPR (Standard Contractual Clauses or equivalent).
    • EXTERNAL RISK: UpGuard's automated external scan (June 2026) flags a possible infostealer-malware/credential exposure associated with the WHOOP domain, plus CSP (unsafe-eval), missing DNSSEC, and potential Next.js issues. These are automated external signals, not a confirmed breach of WHOOP systems; UpGuard itself labels the malware finding only a 'potential data breach.' WHOOP's overall UpGuard grade is A (805/950).
    • HIPAA NOT APPLICABLE: WHOOP is not a HIPAA-covered entity. Healthcare employers using WHOOP in wellness programs should note that HIPAA protections do not extend to this vendor relationship.

    // At a glance

    Pricing model

    Annual membership subscription; consumer tiers are region-dependent (approximately $199-$359/yr in the US, EUR 199-399/yr in the EU). WHOOP Unite corporate pricing is not publicly listed.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Whoop, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    privacy.whoop.com

    > Browse all vendor trust reports