Trust is woven into Glooko’s culture and practices

Trust is woven into Glooko’s culture and practices

We recognize the importance of trust and the security of your personal data or protected health information. This is why we have instituted formal security and privacy governance, and we regularly report on both security and privacy to the company Board of Directors. Our company leadership team is deeply involved in and committed to security and privacy governance, making the protection of personal and protected data our highest priority in every aspect of Glooko culture and practice.


Privacy Shield certification indicates that a company is committed to protecting personal data in accordance with the EU General Data Protection Regulation (GDPR), which mandates strong data protection safeguards and guarantees of individual data rights. To obtain Privacy Shield Certification, a company needs to prove that they have internal policies to support that protection, as well as external notice of what data they collect, for what purposes, and how they use it.

HITRUST certification is a validated assessment conducted by an objective third party that certifies that a company’s security policies, procedures, and practices are compliant with HIPAA, the US federal regulation protecting personal health information (PHI). HITRUST certification demands best practice security safeguards and sets the highest bar for proof of a company’s security posture.

ISO 13485 is an Internationally recognized quality system standard that describes requirements for Quality System practices and procedures in the design, development, production, and delivery of medical devices, including digital health software. Because Glooko software is classified as medical device software, we are required to meet this comprehensive Quality System standard, including the cybersecurity expectations associated with the Standard.


Frequently Asked Questions for Privacy, security and certifications

  • How do we safeguard your data?
  • We work hard to make sure your data is secure, private, and available to you when you need it. We know that health data is critical AND sensitive. Our platform leverages security best practices to ensure that your data is safeguarded. All data is encrypted in transit and at rest using modern, well-regarded encryption methods and protocols. We have independent third parties regularly conduct penetration testing and independent cybersecurity risk assessments, and we monitor our platform for vulnerabilities and any unusual behavior. Our platform is designed for redundancy and resiliency, and we have strong policies, procedures, and practices to assure security through technical, organizational, and procedural controls.
  • What do we do with your data?
  • We are protective of your personal data, and we will not share your identifiable data without your consent. If you use Glooko services through a healthcare provider, then your care provider will work with you to manage your diabetes, and your data will be available to your provider, for example when you visit your doctor. In that case, our services are just a portion of the health care operations of your health care provider, just like any other system they may use to provide you with care.
  • What are our internal controls over data privacy and security decisions?
  • Our practices ensure that security and privacy remain paramount and are not given short shrift for expediency or profit. We have documented policies that lay out our expectations for security and privacy. We have a formal, adopted Data Ethics policy that states what we believe is proper to do with data and what we will not do. We have a governance board for Security and Privacy that helps drive critical decisions and ensures proper prioritization and resource allocation for security and privacy efforts. And, we have a leadership team that truly believes that the effort to lead in security and privacy is worth it, because having your trust is worth it.