Security & Compliance for Your Gym Management Software
Your members trust you with their credit cards, health data, and personal information. We take that seriously. GymWyse is built from the ground up with enterprise-grade security, regional data hosting, and full regulatory compliance so you can focus on running your gym, not worrying about data breaches.
AES-256
Encryption at Rest
TLS 1.3
Encryption in Transit
SOC 2
Type II Certified
99.9%
Uptime SLA
Data Encryption
Every byte of data in GymWyse is encrypted, whether it is sitting in a database or traveling across the internet. We use industry-leading encryption standards to ensure your members' information is protected at every stage of its lifecycle.
AES-256 at Rest
All member data, payment records, and health information stored in our databases is encrypted using AES-256, the same encryption standard used by governments and financial institutions worldwide. This applies to every data field, not just sensitive ones.
TLS 1.3 in Transit
Every connection between your browser, the GymWyse mobile app, and our servers is secured with TLS 1.3, the latest transport layer security protocol. Older protocols like TLS 1.0 and 1.1 are disabled entirely.
End-to-End Payment Encryption
Credit card numbers and bank account details are encrypted end-to-end and never stored in plaintext. Payment data flows through a PCI DSS Level 1 compliant pipeline, the highest level of payment security certification available.
Customer-Managed Keys
Enterprise plan customers can bring their own encryption keys (BYOK) for database-level encryption. You control the keys, and you can revoke access at any time. This gives you full sovereignty over your data encryption lifecycle.
Regional Data Hosting
Your data stays in your region. GymWyse operates dedicated infrastructure in four global regions. Customers choose their hosting region at signup, and data never leaves that region. No exceptions, no cross-border transfers, no surprises.
United States
AWS us-east-1, Virginia
Primary data center for North American customers. SOC 2 audited facility with multi-availability-zone redundancy. Data never leaves the US region.
United Kingdom / EU
AWS eu-west-2, London
Dedicated hosting for UK and European Union customers. Fully GDPR compliant. Data is processed and stored exclusively within the UK, satisfying EU adequacy requirements.
Australia
AWS ap-southeast-2, Sydney
Australian data residency for gyms in Australia and New Zealand. Compliant with the Australian Privacy Act 1988. Data stays within the Australian region at all times.
United Arab Emirates
AWS me-south-1, Bahrain
Middle East hosting for customers in the UAE, Saudi Arabia, and surrounding region. Data remains within the Middle East region, meeting local data sovereignty requirements.
Operating in the United Kingdom, Australia, or the UAE? Visit your regional page for localized details.
GDPR Compliance
Is GymWyse HIPAA GDPR compliant? Yes. GymWyse provides full GDPR compliance for UK and EU customers. We have implemented every requirement of the General Data Protection Regulation, from data subject rights to breach notification procedures, so your gym meets its legal obligations without any extra work.
Data Processing Agreement
Every UK and EU customer receives a signed Data Processing Agreement (DPA) that defines exactly how we process personal data, the legal basis for processing, and the safeguards in place. Our DPA is available for review before you sign up.
Right to Erasure
One-click member deletion. When a member requests to be forgotten, gym owners can permanently erase all personal data with a single action. This removes the member profile, contact details, attendance history, and payment records from our systems within 30 days.
Data Portability
Export all member data at any time in CSV or JSON format. This includes profiles, attendance records, payment history, contracts, and consent logs. Members can also export their own data directly from the GymWyse member app.
Consent Management
Built-in consent management for marketing communications. Members explicitly opt in to email and SMS marketing during signup. Consent records are timestamped and auditable. Members can withdraw consent at any time from their app settings.
Breach Notification
In the unlikely event of a data breach, we notify affected customers within 72 hours as required by GDPR Article 33. Our incident response team follows a documented playbook that includes containment, assessment, notification, and remediation steps.
Data Protection Officer
Our Data Protection Officer (DPO) is contactable at dpo@gymwyse.com. The DPO oversees all data processing activities, conducts regular impact assessments, and serves as the liaison with supervisory authorities.
HIPAA Considerations
For US gyms that collect health data such as body measurements, injury logs, and health questionnaires, HIPAA compliance matters. GymWyse provides the technical safeguards and legal agreements needed to handle Protected Health Information (PHI) responsibly.
Business Associate Agreement
A signed BAA (Business Associate Agreement) is available for Enterprise plan customers. This legally binds GymWyse to HIPAA-compliant handling of Protected Health Information (PHI) collected through body measurements, injury logs, and health questionnaires.
PHI Encryption & Access Control
All Protected Health Information is stored in an encrypted, access-controlled environment with role-based permissions. Only authorized staff with explicit need-to-access can view health-related member data.
Comprehensive Audit Logs
Every access, modification, and export of health data is logged with timestamps, user identity, and action type. These audit logs are retained for six years and are available for compliance reviews and HIPAA audits.
SOC 2 Type II Certification
GymWyse has completed SOC 2 Type II certification, which means an independent third-party auditor has verified that our security controls are not only designed properly but are operating effectively over time. This is the gold standard for SaaS security assurance.
What Is Audited
- Security controls and access management
- System availability and uptime monitoring
- Data confidentiality and encryption
- Processing integrity and accuracy
Audit Details
- Annual third-party audits by an independent firm
- Continuous monitoring between audit cycles
- Audit report available under NDA for Enterprise customers
- Covers all four regional data centers
Member Data Rights
Your members have full control over their personal data. Every right listed below is accessible directly from the GymWyse member app settings screen. No support tickets, no waiting, no friction. Transparency builds trust, and trust retains members.
Members Can
View all data stored about them in the GymWyse platform, including profile information, attendance records, payment history, and any health data
Request complete data deletion, which permanently removes their personal information from our systems within 30 days of the request
Export their personal data in a machine-readable format (JSON) directly from the member app settings, no gym staff involvement required
Control marketing consent preferences, choosing exactly which communication channels they want to receive messages on
Revoke wearable data sharing at any time, immediately stopping the sync of fitness tracker data from Apple Health, Google Fit, or Garmin Connect
View a log of who has accessed their data and when, providing full transparency into how their information is being used
Penetration Testing & Vulnerability Management
We do not just build secure software and hope for the best. We actively test our defenses with the same techniques attackers use. Our security posture is validated quarterly by an independent security firm, and we maintain a public commitment to rapid vulnerability remediation.
Quarterly
Penetration Testing
Independent security firm conducts full-scope penetration testing every quarter, covering web application, API, and infrastructure layers.
24 hrs
Critical Patch SLA
Critical vulnerabilities are patched within 24 hours of discovery. High-severity issues are remediated within 72 hours. All patches are verified by re-testing.
Active
Bug Bounty Program
We run a bug bounty program that rewards security researchers for responsibly disclosing vulnerabilities. Valid reports are acknowledged within 24 hours.
99.9%
Uptime SLA
Our infrastructure is designed for high availability with multi-region failover. We maintain a 99.9% uptime SLA backed by service credits for any downtime.
Access Controls
Not everyone in your gym needs access to everything. GymWyse uses role-based access control (RBAC) to ensure each staff member sees only the data and features relevant to their role. Combined with two-factor authentication and comprehensive audit logging, you always know who accessed what and when.
Admin
Full platform access including billing, analytics, staff management, and system configuration. Reserved for gym owners and operations directors.
Manager
Access to member management, scheduling, reporting, and day-to-day operations. Cannot modify billing settings or manage other staff accounts.
Front Desk
Member check-in, class booking, basic member lookup, and point-of-sale. Cannot view financial reports or modify member contracts.
Trainer
Access to assigned client profiles, workout programming, and session scheduling. Cannot view payment information or other trainers' clients.
Additional Security Features
Security & Compliance FAQ
Common questions about how GymWyse protects your data, handles compliance requirements, and keeps your members' information safe. Is GymWyse HIPAA GDPR compliant? Find the answers below.
Your Members' Data Deserves the Best Protection
Security is not a feature you bolt on later. It is the foundation everything else is built on. GymWyse gives you enterprise-grade encryption, regional data hosting, GDPR compliance, and SOC 2 certification out of the box, so you never have to worry about whether your members' data is safe. See how much you could save while upgrading your security posture.
Have a security question? Contact our team at security@gymwyse.com or review our pricing plans to find the right security tier for your gym.