New to Weave? Follow this Onboarding Checklist for Admins to get started with Weave.

Before beginning the checklist, make sure you complete the following steps:

Technical Preparation

Weave Plus Onboarding Checklist

1. Weave Launch

• Download the Weave Desktop App
  You will need the Desktop App downloaded on all computer stations that will be using Weave. 
• Complete Part 1 of the Weave Plus for Admins Weave Academy Certification
• Download the Weave Mobile App
  Take Weave on the go with our Mobile App.
• Review your implementation plan.
• Provide current phone bill and numbers for porting

2. Software Setup

• Add Users to your account
  Each person in your office who will be using Weave needs their own unique username and password to log in. 
• Set up Auto Reminders
  Customize and enable your Auto Reminders. The availability of certain Auto Reminders depends on your Practice Management Software.
• Implement Network changes found in the Network Audit Email to ensure excellent call quality
• Complete Part 2 of the Weave Plus for Admins Weave Academy Certification
• Sync your Practice Management Software Data
  Your Onboarding Manager will help you get your Practice Management Software synced to Weave.
  • • Once connected, you will need to verify your data source to get your data syncing.
• Set up Payments Account
  To use Text to Pay or any of our Payments features, you will first need to set up your Payments Account with Stripe.
• Set up Weave Reviews (Premium Feature)
  To start collecting Reviews with Weave, you will need to connect your Google and/or Facebook Business accounts to Weave.

3. Phone Setup

Phone customizations are only applicable for customers who purchased the Weave phones.

• Set Office Hours
  The Office Hours setting controls when your phones will ring and when specific Voicemail Greetings will be played.
• Set Up Voicemail
• Select your Hold Music
• Have your staff complete Part 1 the Weave Plus Essentials for Team Members Weave Academy Certification
• Call Recording
  If desired, you can choose to turn on call recording to record your calls on your Weave phones. Be sure to check the call recording laws in the state your business is located.
  
• Set up Missed Call Text (Premium Feature)
  Customize your Missed Call Text messages and toggle them on to prepare for going live.
• Request Additional Phone Customizations
  Your Onboarding Manager will help you customize your phone system to your preferences. For ideas, visit our Phone Customizations article.

4. Number Porting

• Complete Add-On Certifications on Weave Academy if you've purchased add ons
• Complete Part 3 of the Weave Plus for Admins Weave Academy Certification
• Have your staff complete the Weave Plus Essentials for Team Members Weave Academy Certification

5. Ongoing Support and Training

• Bookmark WeaveHelp to search for answers to ongoing product questions
• Attend monthly live WeaveLab Webinars for product updates
  You'll see the invitations come across your email.
• Contact support to resolve any technical issues
• Contact your CSM team at customersuccess@getweave.com for any account-related questions, best practices, or product add-ons

Additional Product Setup

Download the checklist

New to Weave? Follow this Onboarding Checklist for Admins to get started with Weave.

Before beginning the checklist, make sure you complete the following steps:

Technical Preparation

Weave Core Onboarding Checklist

1. Weave Launch

• Download the Weave Desktop App
  You will need the Desktop App downloaded on all computer stations that will be using Weave.
• Complete Part 1 of the Weave Core for Admins Weave Academy Certification
• Review your implementation plan
• Provide your current phone bill and numbers for porting
• Download the Weave Mobile App

2. Software Setup

• Add Users to your account
  Each person in your office who will be using Weave needs their own username and password to log in. 
• Upload or add contacts to Weave
  You can add your customer base to Weave through a mass upload (CSV file) or by creating manual contacts through Weave.
  
  • • Mass Upload (CSV) Instructions
    • CSV Upload Troubleshooting
    • Manual Contact Instructions
• Implement Network changes found in the Network Audit Email to ensure excellent call quality
• Complete Part 2 of the Weave Core for Admins Weave Academy Certification
• Set up Payments Account
  To use Text to Pay or any of our Payments features, you will first need to set up your Payments Account with Stripe.
• Set up Weave Reviews (Premium Feature)
  To use Weave Reviews, you will need to connect your Google and/or Facebook Business accounts to Weave.

3. Phone Setup

• Set Office Hours
  The Office Hours setting controls when your phones will ring and when specific Voicemail Greetings will be played.
• Record your Voicemail Greetings
• Select your Hold Music
• Have your staff complete Part 1 the WeaveCore Essentials for Team Members Weave Academy Certification
• Call Recording
  If desired, you can choose to turn on call recording to record your calls on your Weave phones. Be sure to check the call recording laws in the state your business is located.
  
• Set up Missed Call Text (Premium Feature)
  Customize your Missed Call Text messages and toggle them on to prepare for going live.
• Request Additional Phone Customizations
  Your Onboarding Manager will help you customize your phone system to your preferences. For ideas, visit our Phone Customizations article.

4. Number Porting

• Complete Add-On Certifications on Weave Academy if you've purchased add ons
• Complete Part 3 of the Weave Core for Admins Weave Academy Certification
• Have your staff complete the Weave Core Essentials for Team Members Weave Academy Certification

5. Ongoing Support and Training

• Bookmark WeaveHelp to search for answers to ongoing product questions
• Attend monthly live WeaveLab Webinars for product updates
  You'll see the invitations come across your email.
• Contact support to resolve any technical issues
• Contact your CSM team at customersuccess@getweave.com for any account-related questions, best practices, or product add-ons

Additional Product Setup

Download the checklist

For some actions in the Weave app, you'll have to have a specific role. See what role you currently have:

1. Open the Weave Portal
2. Select Account from the left menu
3. Click Users from the dropdown
4. Find yourself in the Users list

From here, you can see your role to the right of your name. If you have the Admin role, you can also edit and add users. If you do not, ask the admin in your office to make changes.

Quickly login to your Weave account to see a history of your charges and payments.

1. Login to the Weave Admin Portal
2. Select Account in the left side bar
3. Click Billing

Below your payment information, you’ll see a list of invoices. They are categorized by date but also include an invoice name to reference with Weave support if needed.

Paid status means paid in full. Any partial payments will still appear as unpaid on the invoice history.

Select the Dropdown Arrow next to an invoice to see a quick breakdown of the charges. Select the Preview icon for a more detailed report.

Export Your Invoice as a PDF

1. Login to the Weave Admin Portal
2. Select Account in the left side bar
3. Click Billing
4. Select the Preview icon next to the invoice you would like to export
5. In the top right corner, select the PDF icon
6. Use your computer’s system to either print the invoice or save it to your computer as a PDF

Change or update the billing information for your Weave subscription with ease through the Weave portal.

Add a Payment Method:

1. Login to the Weave Portal

2. Select Account in the left side bar

3. Click Billing

4. Select the+ Plus icon on the right side

5. Update your payment information by filling out fields:

• Payment Type

• Card/Account Holder

• Card/Account Number

• CVV

• Zip

• Expiration Date

6. Select Submit

Choose Your Primary Card

1. Click the down arrow next to the payment info

2. Toggle on Make Primary Payment Method

Note: If another card is designated as the primary payment method, its toggle will automatically change.

Delete a Payment Method:

1. Click the down arrow next to the payment info

2. Select Delete Payment Method

Note: In order to delete a payment method on file, you must have another payment method marked as primary.

All staff members in your office who will be using Weave must have their own login with their own user email and password. This is a HIPAA requirement for security purposes. This article explains how to add, edit, or delete a Weave user.

You can add and manage users in your Weave Portal. Select the appropriate tab below for instructions to add, edit, or delete a user.

Ensure the security of your Weave accounts by adjusting login settings to fit your office’s needs.

1. Go to the Weave Portal 
2. Select Account in the menu on the left side 
3. Click Password Policy from the dropdown
4. Select Edit in the top right corner
5. Choose from the list of requirements by selecting the box next to the setting
6. Select Save
7. Select I Agree in the pop-up window to verify your changes

You can change settings involving complexity requirements, password age, and the lock-out process.

Complexity Requirements are evaluated when a password is changed. Password Age and Lock Out rules are evaluated every time a user logs in.

These settings would be applied right away (with no change from user necessary). The exception is the "Enforce password history for 4 passwords" rule. This is part of the Password Age settings, but is only evaluated when a password is changed.

Steps to verify your data source to get your data syncing to Weave.

Verify Your Data Source

Once Weave connects with your Practice Management Software, you will need to verify your data source in order for the data to start syncing. This keeps your data safe and secure in the data syncing process.

To verify your data source,

1. Go to your Weave Portal
2. Select Data Sources from the left side menu
3. Click on the settings icon next to the data source you wish to verify
4. Select Verify from the dropdown menu
5. Answer the verification question

   Note: You will need to reference your Practice Management Software and/or scheduling system to properly answer the question. 

6. Select Verify Data

If you answered the verification question correctly, the status will change to Verified and your data will be syncing with Weave.

If you answered the verification question incorrectly, it will lock the data source. You will need to contact our Support team to have it unlocked before trying again.

Verification Statuses

• Not Verified:  This means that the data has not yet been verified by your office.
• Locked: This means that the data verification failed. Contact our Support team to have it unlocked before trying again.
• Verified: This means that you successfully verified the data source and your data is properly syncing with Weave.

Several laws in the US and Canada regulate communications between businesses and their customers. These laws include, but are not limited to, the TCPA, CAN-SPAM, and CASL. Additionally, the US wireless communications industry has published principles and best practices regarding text communications. The underlying goal of these regulations and best practices is to protect consumers against unwanted communications. Weave is your partner in understanding these requirements and ensuring that your messages are delivered to your customers with minimal disruption.

The following information regarding these laws is not legal advice and is provided for information purposes only. You are encouraged to seek competent legal counsel for specific guidance related to compliance with these laws.

TCPA

The US Telephone Consumer Protection Act (TCPA) regulates telemarketing calls, auto-dialed calls and text messages, artificial or pre-recorded calls, and unsolicited faxes. The TCPA requires prior express consent to send text messages to customers. While there are some exemptions to TCPA requirements for certain healthcare-related communications under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), TCPA requirements still apply to marketing communications and any other non-healthcare-related communications. For example, text messages which contain marketing or advertising content require you to obtain prior express written consent from your customers.  

You can learn more about the TCPA from the Federal Communications Commission’s (FCC) FCC website . 

TCPA exemptions for healthcare providers

The TCPA provides exemptions specifically for healthcare-related calls and text messages which apply to HIPAA-covered entities, created by the FCC in its Declaratory Ruling and Order on July 10, 2015 . Under one exemption, calls or texts made by or on behalf of a covered entity or its business associate and which have a healthcare treatment purpose do not require the prior express written consent of the receiving party. Such calls or messages include:

• Appointment and exam confirmations and reminders
• Wellness check-ups
• Hospital pre-registration instructions
• Pre-operative instructions
• Lab results
• Post-discharge follow- up intended to prevent re-admission; prescription notifications
• Home health care instructions

The following additional conditions for each exempted voice call or text message, made by or on behalf of a healthcare provider, must be met:

• Call or text message must be sent only to the mobile number provided by the patient.
• Name and contact information of the healthcare provider must be stated at the beginning of each call or included in each text message.
• Limit calls and text messages to one per day and no more than three calls or text messages per week.
• Calls and texts messages must comply with the HIPAA Privacy Rule.

Despite these exemptions, you should always discuss with your customers what information may be communicated via text, especially sensitive information. It is important to note that texts related to accounting, billing, debt collection or containing other financial content or texts that include advertising content are not part of this exemption. Additional detail can be found in the FCC’s July 2015 Declaratory Ruling and Order. 

CAN-SPAM

The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) establishes requirements for commercial emails and gives recipients the right to have you stop emailing them. CAN-SPAM applies to all commercial email messages, which the law defines as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service.” CAN-SPAM’s primary requirements include:

• Email header and routing information must be accurate and identify the person or business who initiated the message.
• The subject line should not be deceptive and must accurately reflect the content of the message.
• Message must be identified as an ad.
• Messages must include your valid physical postal address.
• Messages must include a way to opt-out of receiving further messages.
• Honoring a recipient’s opt-out request within 10 business days.

You can learn more about CAN-SPAM from the Federal Trade Commission (FTC) website and the FTC’s compliance guidelines . 

CASL

Canada’s anti-spam legislation (CASL) regulates commercial electronic messages (CEM) that are sent to or by Canadians. A CEM is any electronic message (including a text or email) that encourages participation in a commercial activity. For example, a CEM would include a text or an email that offers to provide a service or a product (including a text or email that contains a coupon or describes a promotion). CASL does not apply to a pure service message (such as a simple reminder of an existing appointment), unless the message also encourages participation in a commercial activity (such as a reminder of an existing appointment which also promotes a sale on other services). 

Key requirements of CASL include:

• Before sending a CEM, the sender must have an express consent or an implied consent from the recipient, or fall within one of the exemptions specified in CASL. You can learn more about the requirements for express and implied consent and exemptions here . 
• Unless the sender has a complete exemption from CASL, the CEM must include (1) the name by which the sender carries on business, if different from its name, and if not, its actual name, (2) the sender’s mailing address and either a phone number or an email address or web address, valid for 60 days, and (3) an unsubscribe mechanism that allows the recipient to opt-out of receiving all future CEMs.
• The unsubscribe mechanism must be available to the recipient without cost, be easy to use, and must use the same electronic means as the CEM. The sender must process an unsubscribe request without delay, and in any event within 10 business days.
• CASL regulators expect senders to have a CASL corporate compliance program and CASL training materials. CASL also imposes certain record keeping requirements relating to express consents, implied consents, opt-outs, and CEMs. Weave does not maintain those records for you. For information on these requirements, see the links provided below or speak with your lawyer.

You can learn more about CASL from the Canadian government’s overview and frequently asked questions .

CTIA Messaging Principles and Best Practices

The CTIA , an organization representing the US wireless communications industry and companies throughout the mobile ecosystem, has developed and published Messaging Principles and Best Practices (Principles and Best Practices). The Principles and Best Practices reflect the wireless industry’s efforts to preserve the trust in the messaging services provided by the mobile network operators (MNOs), such as Verizon, AT&T, and T-Mobile. The Principles and Best Practices also support a wireless messaging community where message senders and consumers can exchange wanted messages and while still protecting consumers from unwanted messages, in conformity with applicable laws and regulations, such as TCPA and CAN-SPAM.

The Principles and Best Practices include parameters for facilitating business text messages, also known as “non-consumer” or “Application-to-Person” (A2P) messages, such as those sent by Weave subscribers through the Weave service. Regardless of regulation, the CTIA recommends that all A2P message senders should take the following actions to maintain consumer confidence in messaging services:

• Obtain a consumer’s consent to receive messages generally.
• Obtain a consumer’s express written consent to specifically receive marketing messages.
• Ensure that consumers have the ability to revoke consent.

Consent may vary upon the type of message content exchanged with a consumer. The Principles and Best Practices provides examples of the types of messaging content and the associated consent that should be expected for A2P messages.

10DLC Brand and Campaign Registration

In addition to the CTIA Principles and Best Practices, the mobile network ecosystem has been working to find ways to better support businesses sending A2P messages to consumers and reduce the number of spam text messages that consumers receive. In 2021 the MNOs began implementing standards to register and validate businesses that send A2P messages using 10-digit long codes (10DLC) (a 10-digit telephone number designed for A2P messaging). This is referred to as “brand” and “campaign” registration and validation. Providing visibility into the source and content of A2P messages allows the MNOs to provide more reliable and trustworthy messaging services. Businesses that send A2P messages via 10DLCs are required to register their brand and messaging campaigns through their service providers, like Weave, to take advantage of increased messaging deliverability and throughput, and avoid potential fees or disruption to texting services. Businesses that are registered and verified with the MNOs are less likely to be flagged for sending spam messages. You can find more information about these requirements here .

Your Responsibility to Use Weave in Compliance with the TCPA, CAN-SPAM, CASL, and other best practices

Weave text and email features have been designed with features to support you in complying with the TCPA, CAN-SPAM and CASL and enable you to make the most of your communications with customers. However, primary responsibility for compliance with TCPA, CAN-SPAM, CASL, and other best practices rests with you. You are responsible for the communications that you cause to be sent through the Weave service and for ensuring that those communications comply with all applicable laws. This includes, but is not limited to:

• Obtaining, documenting, and tracking customer consent.
• The content and frequency of communications.
• Promptly honoring opt-out and withdrawal of consent requests.

More details on your responsibility for compliance with laws and regulations can be found in Weave’s Terms of Service .

Weave has implemented the following features which support you in complying with the TCPA, CAN-SPAM, CASL, and the CTIA Principles and Best Practices:

Text messaging

• All automated texts have opt-out instructions appended to the end of the message. Additionally, regardless of the type of text message, the standard "STOP" reply will automatically unsubscribe customers from further text message communications. You can learn more about how customers can opt out of texts here . 
• Our default text message templates include the name of the subscriber (e.g., "Hello {first name}, this is {subscriber name}"). These templates can be modified by you to include additional information, including contact information, message frequency, and applicable terms and conditions.
• Weave is your partner in registering and validating your 10DLC messaging brand and associated messaging campaigns with the MNOs and their partners. The majority of our existing subscribers’ brands and campaigns are already registered and validated. New subscribers are registered and validated during the onboarding process. 

Email marketing

• Weave’s email marketing tool includes the following information as standard at the bottom of every email campaign:
• Unsubscribe instructions and automatic opt-out when requests are received
• Business and contact information, including postal address
• Required email subject and “From” email address for every email campaign.

Keep in mind, we aren’t your lawyers, so we cannot give you legal advice. Compliance with the TCPA, CAN-SPAM, CASL and other applicable laws, regulations or best practices will depend on your particular use case and context. This information should not be relied upon as legal advice or to determine how legal requirements apply to your use of the Weave service. We encourage you to seek guidance from your legal counsel regarding the requirements of TCPA, CAN-SPAM, and CASL and other relevant laws and regulations to ensure compliance.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that seeks to improve the efficiency and effectiveness of the healthcare care system, while also establishing national standards for privacy and security protections for health information. The following information regarding HIPAA is not legal advice and is provided for information purposes only. Weave encourages you to seek legal advice from an attorney to obtain specific guidance-related compliance with HIPAA and the requirements applicable to your business.

HIPAA includes three primary rules:

• The Privacy Rule establishes standards for the protection of certain protected health information (PHI).
• The Security Rule establishes security standards for protecting the confidentiality, integrity, and availability of PHI held or transmitted in electronic form, otherwise known as electronic protected health information (ePHI). 
• The Breach Notification Rule establishes standards for notification following a breach of unsecured PHI.

HIPAA generally applies to health plans, health care clearinghouses, and to most healthcare providers. These are referred to as “covered entities.” Additionally, persons or entities (like Weave) who perform functions or activities on behalf of a covered entity that involve access to PHI may also be considered “business associates” subject to certain HIPAA standards. 

You can learn more about HIPAA requirements from the Department of Health and Human Services (HHS). 

It’s important to know that HHS does not endorse or recognize private organizations’ HIPAA “certifications”. Some service providers may claim that they or their systems are “HIPAA compliant” or “HIPAA certified”. These claims are misleading, as compliance with HIPAA and other applicable laws and regulations will depend on your particular use case and context. 

Weave is committed to protecting your data, including the PHI of your patients. Weave has been designed with features to support you in complying with HIPAA, while also enabling you to make the most of your communications with patients. However, primary responsibility for compliance with HIPAA rests with you. You are responsible for your use of the Weave service and for ensuring that your use of the Weave service complies with HIPAA and other applicable laws. This includes, but is not limited to:

• Taking your own steps to maintain appropriate security and privacy protections, including properly limiting access to the Weave service. 
• Ensuring that all communications sent through the Weave service comply with the HIPAA Privacy and Security Rules, including calls, texts, faxes and email marketing messages. 
• Notifying Weave of any of your policies, agreements or restrictions to which you have agreed that may affect Weave’s performance of services, and any changes in, or revocation of, permission by an individual to use or disclose PHI, to the extent that such changes may affect Weave’s use or disclosure of PHI.

Our legal, compliance, and security teams work across the company and alongside our customers to understand and meet customer needs. Weave has implemented the following safeguards to meet HIPAA requirements:

• Weave has established and implemented policies governing the protection and use of PHI. 
• Weave has implemented administrative, technical, and physical safeguards for protecting PHI. Weave regularly reviews and enhances safeguards based on risk assessments. Safeguards in place include:
• Logical and physical access controls are employed to ensure that only authorized personnel access PHI.
• Encryption of data in-transit and at rest. Weave employs industry standard TLS 1.2+ and HTTPS encryption when transferring data between subscribers and Weave’s infrastructure. All subscriber data is encrypted at rest using AES-128-bit symmetric encryption keys or better.
• Security awareness training and education for all Weave personnel.
• Incident detection and response capability to detect and respond to security incidents and appropriately report any unauthorized access or use of PHI.
• Data is regularly backed up and replicated to geographically dispersed locations, which allows us to quickly recover and restore data and systems in the case of data corruption or loss.
• Weave’s privacy and security safeguards are reviewed and assessed by independent advisors. 
• Weave has established a standard business associate agreement (BAA), which is an addendum to our standard Terms of Service. Our Terms of Service and BAA, together with our Privacy Policy, are designed to address Weave’s commitments for protection and use of personal information and PHI, per HIPAA, and other applicable privacy laws and regulations. Weave only uses your data to provide the Weave service to you, except with your prior written consent or as otherwise expressly permitted under the Terms of Service or BAA.
• Weave ensures that its subcontractors and personnel authorized to access PHI are bound by appropriate obligations of confidentiality or a BAA.

Below is additional information of which you should be aware and that will help you comply with HIPAA when communicating through the Weave service:

Team Chat

• Team Chat is designed to support secure communication between team members, with all messages encrypted in transmission and at rest.

Messages

• Weave Messages can be used to communicate in a manner that is compliant with HIPAA. However, it is your responsibility to discuss with your patients what information may be communicated via text, especially sensitive information and PHI. Text messages sent through Weave are transmitted via traditional SMS text message methods. Traditional SMS text messages are generally considered an insecure mode of communication, as texts are not encrypted in transit and there are limited controls over the message after it is sent. Compliance with HIPAA when sending texts will depend on the content of the text and other factors.

Fax

• Faxes sent through Weave are encrypted at rest with a unique encryption key for each customer. Additionally, Weave encrypts faxes sent through Weave. However, you should apply reasonable safeguards when sending PHI through fax to protect the information from inappropriate use or disclosure. More guidance is available by visiting the HHS website.

Email Marketing

• The Email Marketing feature was designed for our subscribers to communicate updates, promotions, and newsletter-type information with their patient base. Weave's Email Marketing feature was not designed for the purpose of communicating ePHI. Accordingly, the Weave Email Marketing feature does not include end-to-end encryption or other security features which would protect the contents of an email, such as sensitive ePHI, while in transit to the intended recipient. Emails sent to customers through Weave Email Marketing should never include sensitive information, and you should always discuss with your customers what information may be emailed to them.
• The HIPAA Privacy Rule provides individuals important controls over whether and how their PHI is used and disclosed for marketing purposes as that term is defined by HIPAA. With some exceptions, the Privacy Rule requires an individual’s written authorization before a use or disclosure of his or her PHI can be used for marketing. Compliance with the Privacy Rule while using Weave’s Email Marketing will depend on the content of the email and other factors. You can learn more about HIPAA and marketing by visiting the HHS website. 

Digital Forms

• Forms sent and received through the Digital Forms service are encrypted in transit and at rest. 

Call Recordings

• Call recordings are encrypted at rest with a unique encryption key for each customer. 

Keep in mind, Weave cannot give you legal advice. Compliance with HIPAA and other applicable laws and regulations will depend on your particular use case and context. This information should not be relied upon as legal advice or to determine how legal requirements apply to your use of the Weave service. Weave encourages you to seek guidance from your legal counsel regarding the requirements of HIPAA and other relevant laws and regulations to ensure compliance.

The Weave service may be purchased only by customers located in the United States (including Puerto Rico) or Canada and is intended for use only in those locations. Weave makes no representations or warranties that the service is appropriate or available for use outside of the United States or Canada.

Subscribers that choose to access or use the Weave service from outside the United States or Canada do so at their own risk and are entirely responsible for compliance with local law, including, but not limited to export and import regulations. In addition, the Weave service is subject to United States export laws and regulations and may not be exported or re-exported to certain countries or those persons or entities prohibited from receiving exports from the United States.

You can read more about the location of the Weave service and other restrictions on use of the service in our Terms of Service.

Before you attempt to use or access the Weave service in other locations, please consider the following:

• Weave does not provide support for customers using the service outside of the United States or Canada.
• Weave does not ship VoIP telephones to locations outside the United States or Canada.
• The Weave mobile app can only be downloaded in the United States or Canada.
• Weave may block individuals from certain geolocations from downloading and updating the Weave desktop app.
• Weave may restrict accessing or using the service if we reasonably believe you are using the service outside of the United States or Canada.
• E911 service is not supported for VoIP phones located outside of the United States, Puerto Rico, or Canada. (See additional information below.*)
• Your VoIP call quality may suffer if you use the VoIP phones and service outside the United States or Canada. (See additional information below.**)

* PLEASE NOTE: Weave cannot provide E911 support for customers who use the service outside of the United States, Puerto Rico, and Canada. We want to make sure that you are aware of important differences in the way 911 service operates with a VoIP phone when compared with traditional telephone service. With traditional phone services, your 911 call is sent directly to the nearest emergency response center. With VoIP phone service, your 911 call is forwarded to a third-party service provider that will automatically or manually route your call to the emergency response center. Weave will attempt to provide the emergency operator with your service address, so it is important that your information on file with us is always accurate and updated. Weave currently only supports registration of E911 addresses located in the United States, Puerto Rico, and Canada. If you attempt to call 911 from a Weave VoIP phone located outside of the United States, or Canada, the emergency operator may assume that you are calling from the last registered address. You can update your E911 address at any time in the Weave Admin Portal. For a complete description of our VoIP service and limitations of E9-1-1 service, please see this important E911 information and Weave’s VoIP Terms of Service.

** PLEASE NOTE: VoIP call quality is impacted by internet bandwidth and congestion, priority routing rules, and latency, among other factors. Call quality may be impacted by the location of your VoIP phone relative to Weave’s infrastructure, located in data centers located in the United States. If you choose to relocate your physical VoIP phones outside of the United States or Canada and attempt to receive or make calls, your call quality is likely to be significantly degraded. For example, typical round trip time between the United States and Australia is around 200-300 milliseconds. To avoid degraded call quality, round trip time should ideally be no more than 120 milliseconds.

To our customers – 

You may have seen in the news that a critical vulnerability (CVE-2021-44228) was identified earlier this month impacting a commonly used open-source Apache “Log4j2" utility. We take the security of our systems and our customers’ data very seriously, and we wanted to give you a bit of detail on what Weave has done to verify that the Weave platform is not impacted.

Upon learning of this security issue, Weave swiftly conducted an internal review to identify potentially impacted systems and services providers. Our review showed that Weave’s systems and software do not use this and are therefore not vulnerable to this security issue. We also confirmed that all critical service providers have taken appropriate steps to identify impacted systems and implement corrective measures.

We will continue to monitor the impact of this vulnerability and to keep our systems secure. We will update you if there are any significant developments. If you have any questions regarding this or any other security issue, you can reach me and my team at security@getweave.com.

Matt Hillary, Chief Information Security Officer

Weave employs multiple layers of security to protect your data. 

At the organization layer, Weave has a dedicated security team, with a Chief Information Security Officer leading a team with security compliance, security engineering, security operations, and application security expertise to influence the secure handling of your data, and secure development and operation of Weave’s products. These team members monitor for incidents, events, and insecure configurations that may lead to the compromise of Weave’s products or your data.

At the physical and infrastructure layers, Weave’s products are hosted on Google Cloud Platform (GCP) and Amazon Web Services (AWS) -- both of which have favorable compliance reports including an ISO 27001 certification and SOC2 Type 2 report, demonstrating their security practices adhere to industry best practices.

At the data layer, your data is encrypted in transit and at rest in backend databases and object stores using industry accepted encryption protocols (TLS 1.2 or higher; AES-128 or higher) with known strong ciphers. Patient images, voicemails, and call recordings are encrypted with unique encryption keys for each subscriber. Encryption keys are stored only in memory by our services, and are encrypted on disk behind our key management system.

At the systems and software layer, Weave’s products are developed using OWASP Top 10 to guide the secure development practices. Systems are scanned for known vulnerabilities, and vulnerabilities are provided to the appropriate internal engineering teams to remediate in a timely manner commensurate with the severity of the vulnerability. Code development uses Continuous Integration (CI) and requires code change peer reviews and approvals prior to code being merged into the main code branch.

Weave is committed to keeping your data secure as it builds great technology for small businesses. As operating systems stop receiving security updates, they can no longer protect your customer data effectively. 

To benefit from everything Weave has to offer, a supported operating system must be installed on each of your desktops and/or servers.

Desktop App Requirements

The Weave Desktop App will be installed on each computer station in your office that needs access to Weave.

The following is a list of supported desktop operating systems and when each will no longer be considered secure, thus not supported by Weave.

Software requirements change over time, so make sure to keep your computers updated. For more detailed information on how to upgrade to a supported desktop operating system, you can reference these pages from Microsoft and Apple.

Server Requirements

If you signed up for the integrated version of Weave and have a server-based Practice Management Software, a sync application will need to be installed on your server. 

The following is a list of supported server operating systems and when each will no longer be considered secure, thus not supported by Weave.