// Trust & Security Report
Whoop, Inc.
Health and Fitness Wearable + AI Coaching (WHOOP Coach, WHOOP Advanced Labs, Corporate Wellness)
Certifications held
4
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on whoop.com“No mention of SOC 2 found in WHOOP's privacy policy, security page, or any public documentation reviewed, and an independent UpGuard external assessment lists no SOC 2 attestation. Absence of a public claim does not by itself prove WHOOP lacks an attestation; enterprise buyers should request the report directly.”
Verify on whoop.com“No mention of ISO 27001 found in WHOOP's privacy policy, security page, or any public documentation reviewed, and an independent UpGuard external assessment lists no ISO 27001 certification. Absence of a public claim does not by itself prove WHOOP lacks one.”
Verify on whoop.com“We continually evaluate our privacy practices to align them with applicable privacy laws including the California Consumer Privacy Act ('CCPA') and the General Data Protection Regulation ('GDPR').”
Verify on whoop.com“We continually evaluate our privacy practices to align them with applicable privacy laws including the California Consumer Privacy Act ('CCPA') and the General Data Protection Regulation ('GDPR').”
> Show 1 unconfirmed / not-held certifications
source: athletechnews.comWHOOP is not a covered entity or business associate under HIPAA and is not subject to HIPAA privacy or security rules. Consumer wearable devices fall outside HIPAA coverage. WHOOP instead relies on CCPA, state Consumer Health Data laws, and its own privacy principles.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not stated
Data region
United States. The full privacy policy states: 'To provide the Services, we will process your Personal Data in the United States, where WHOOP is based.' No EU or regional data residency option is mentioned in public documentation.
WHOOP Coach is powered by OpenAI. Per the full privacy policy: 'We have ensured that our LLM partner has a Zero-Retention/Zero Training Policy with respect to your WHOOP metrics.' WHOOP shares only de-identified WHOOP metrics with OpenAI. Conversations with WHOOP Coach are retained by WHOOP (not stored by third parties) for service continuity. Separately, WHOOP uses aggregated and de-identified wellness data (no longer personally identifiable) for internal human performance research. Individual identifiable data is never used for AI model training.
// Security controls
Bug Bounty Program
Active HackerOne program (public). Average bounty $3,000. Response SLA: 5 business days first response, 10 business days triage. 90-day vulnerability disclosure deadline (compressed to 7 days for actively exploited 0-days). Reporters protected from legal action for good-faith submissions.
hackerone.comVulnerability Disclosure Policy
90-day coordinated disclosure policy. WHOOP states: 'WHOOP will not engage in legal action against individuals who in good faith submit vulnerability reports through the methods listed above.'
whoop.comSSL/TLS
SHA-256 encryption enforced. All HTTP requests redirect to HTTPS. HSTS enabled. Valid, trusted certificate authority. Strong Diffie-Hellman key exchange.
upguard.comExternal Security Rating
UpGuard: Grade A / 805 out of 950 (as of June 2026). UpGuard noted: potential Next.js vulnerabilities, infostealer malware detected on associated systems, CSP misconfiguration (unsafe-eval), X-Frame-Options not properly configured, missing DNSSEC/CAA.
upguard.comData Access Controls and Logging
WHOOP employees are prohibited from accessing member data without a legitimate business need. Access logs are maintained and actively monitored for anomalies. Quote: 'We maintain a log that tells us who has accessed member personal data and when. We actively evaluate data access logs and investigate any anomalies for data access.'
whoop.comPenetration Testing
Not publicly disclosed.
Data Sales Policy
Explicit commitment: 'We never sell our members' personal data. This is our promise.' Consumer health data is explicitly excluded from any third-party advertising use.
whoop.com// Products & data scope
data: Heart rate, HRV, sleep duration, respiratory rate, skin temperature, blood oxygen saturation, activity type and duration. 24/7 biometric monitoring via WHOOP 5.0 device.
Entry tier at approximately $199/yr. Personal consumer use. No B2B/enterprise compliance scope.
data: All WHOOP One data plus Healthspan and pace of aging metrics, Health Monitor with health alerts, real-time stress monitoring.
Mid tier, region-dependent pricing (approximately $239/yr in the US, EUR 264/yr in the EU). WHOOP 5.0 device.
data: All Peak data plus blood pressure insights (beta), ECG readings, irregular heart rhythm notifications. Uses WHOOP MG device.
Top tier, region-dependent pricing (approximately $359/yr in the US, EUR 399/yr in the EU). Some features (ECG, IHRN) are medically regulated and region-restricted. The FDA issued a July 2025 warning letter over Blood Pressure Insights marketing; WHOOP modified the feature and the FDA closed the warning letter in 2026 with no enforcement action. 'Medical-grade' advertising claims remain the subject of consumer litigation (Rowe v. Whoop).
data: Employers receive an administrative dashboard with aggregated and de-identified organizational analytics only, on an opt-in basis. Individual member data is not accessible at the administrator level without that member's consent.
WHOOP Unite is WHOOP's dedicated enterprise division (distinct from the in-app 'WHOOP Teams' social/sharing feature). Adopted by 200+ organizations including the UK NHS, US Forest Service, and Hitachi Vantara, which indicates meaningful enterprise procurement vetting. No SOC 2 or DPA is confirmed in public documentation, however. Procurement teams should still request a DPA and a completed security questionnaire before deployment.
data: Biomarkers, lab samples, lab results, clinical notes. Classified as Consumer Health Data under applicable US state laws.
US-only service. Requires active WHOOP membership. Age 18+, not available in AZ, HI, WY, ND, SD. Partners with independently licensed third-party labs.
data: De-identified WHOOP biometric metrics shared with OpenAI LLM. Conversation history retained by WHOOP (not by OpenAI).
Powered by OpenAI under a Zero-Retention/Zero Training Policy. OpenAI does not use WHOOP member data to train models. Conversation text is retained by WHOOP for service continuity.
// What to watch
- LITIGATION RISK: Lomeli v. Whoop, Inc. (filed August 2025, N.D. Cal.) alleges WHOOP embedded Segment (Twilio) tracker in its mobile app and transmitted sensitive health data including heart rate, blood oxygen, and sleep data to third parties without user consent or knowledge.
- LITIGATION RISK: Rowe v. Whoop (filed November 2025, N.D. Cal.) alleges false advertising of blood pressure features as 'medical-grade' following the July 2025 FDA warning letter. Context for balance: the FDA closed that warning letter in 2026 after WHOOP modified the feature, electing not to enforce device requirements; the civil suit remains pending.
- LITIGATION RISK: Sanderson v. Whoop (class certified March 2025) alleges violation of California Automatic Renewal Law.
- CERTIFICATION GAP: No SOC2, ISO27001, or equivalent enterprise security certification publicly claimed or evidenced. For a company handling intimate biometric health data at scale, this gap is notable and should be verified directly with WHOOP before enterprise procurement.
- DPA: Data Processing Agreement availability for enterprise/corporate wellness customers not confirmed in public documentation.
- LLM SUPPLY CHAIN: WHOOP Coach LLM partner is OpenAI (confirmed). Zero-Retention/Zero Training Policy contractually in place per WHOOP's public policy. Absence of direct audit evidence is a residual risk.
- DATA REGION: All data processed in the United States. No EU/EEA data residency. EU organizations must assess cross-border transfer lawfulness under GDPR (Standard Contractual Clauses or equivalent).
- EXTERNAL RISK: UpGuard's automated external scan (June 2026) flags a possible infostealer-malware/credential exposure associated with the WHOOP domain, plus CSP (unsafe-eval), missing DNSSEC, and potential Next.js issues. These are automated external signals, not a confirmed breach of WHOOP systems; UpGuard itself labels the malware finding only a 'potential data breach.' WHOOP's overall UpGuard grade is A (805/950).
- HIPAA NOT APPLICABLE: WHOOP is not a HIPAA-covered entity. Healthcare employers using WHOOP in wellness programs should note that HIPAA protections do not extend to this vendor relationship.
// At a glance
Pricing model
Annual membership subscription; consumer tiers are region-dependent (approximately $199-$359/yr in the US, EUR 199-399/yr in the EU). WHOOP Unite corporate pricing is not publicly listed.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Whoop, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
privacy.whoop.com