Our Approach to Security
At 23andMe, we know that earning and keeping your trust starts with protecting your data. Security isn't just a feature; it is a prerequisite for our science and our business. We build security into every step of the process, beginning with when you create your account and continuing for as long as you use our services.
How We Protect Your Data
Our security program is built on a foundation of industry-recognized standards, continuous testing, and core principles of data protection.
Our security program is certified under the global ISO/IEC 27001, 27701, and 27018 standards. This means outside auditors have rigorously reviewed and approved our security practices, confirming we meet or exceed internationally recognized security and privacy standards.
As part of 23andMe's commitment to privacy and security, 23andMe has established an Information Security Management System (ISMS) and Privacy Information Management System (PIMS), which are ISO/IEC 27001, 27701, and 27018 compliant. 23andMe's ISMS and PIMS are audited by an accredited third party on an annual basis.
- ISO/IEC 27001: The foundational standard that provides requirements for an organization's Information Security Management System (ISMS), which systematically identifies and manages information security risks. You cannot achieve certification for 27701 or 27018 without first having or pursuing 27001.
- ISO/IEC 27701: A privacy extension to 27001. This standard provides the requirements for a Privacy Information Management System (PIMS) to help organizations manage personally identifiable information (PII) and demonstrate compliance with privacy regulations like the GDPR. It extends the security controls of 27001 to address privacy-specific risks.
- ISO/IEC 27018: A specific code of practice for protecting PII in the public cloud. It is a more narrowly focused standard than 27701, offering guidelines for cloud service providers (CSPs) that process PII on behalf of others.
- We partner with a global community of security researchers and hire independent firms to constantly and ethically test our systems for vulnerabilities. This includes simulated attacks and frequent assessments to find and fix issues before they can be exploited. We encourage security researchers and our customers to report security issues through our Security Program.
In addition to our own internal assessments, we hire outside experts to perform extensive annual penetration tests on our systems.
Our Commitment to Transparency
No system is perfectly secure. That's why we believe a modern security program must also include a commitment to transparency. We have a dedicated incident response plan to act quickly if an event occurs. We are committed to notifying customers promptly and clearly if their data is affected, providing steps to help them stay safe. We also invite collaboration from the security community to help us stay sharp.
Your Role in a Secure Experience
You also play a vital role. We provide the tools for you to keep your account secure:
Create a strong password
Use a unique, complex password for your 23andMe account. We require a password that is at least 12 characters and recommend the use of a password manager.
Enable 2-step verification
While 2-step verification is a default requirement in your 23andMe account settings, we also strongly recommend the use of an app-based 2-step verification program that requires a code from your phone to log in. We support and encourage the use of app-based 2-step verification programs such as Google Authenticator, Microsoft Authenticator, or Authy.
Be aware of phishing scams
Be suspicious of any email or text asking you to click a link or provide personal information.
Get Help
Visit our Security and Privacy Help Center for more information and support.
Frequently Asked Questions
While 2-step verification is a default requirement in your 23andMe account settings, we also strongly recommend the use of an app-based 2-step verification program that requires a code from your phone to log in. We support and encourage the use of app-based 2-step verification programs such as Google Authenticator, Microsoft Authenticator, or Authy.
We also require the use of a password that is at least 12 characters and strongly recommend that the password be unique and complex. We also recommend the use of a password manager. Be sure to keep your password private, and do not share it.
Fake emails often include links to fake web pages designed to trick you into giving up your account information. This tactic is often called a phishing scam. Here are tips to help you determine if a web address goes to a real 23andMe web page.
- Even if the web address contains the word "23andme", it might not be a 23andMe website. Real 23andMe web addresses have ".23andme.com/" in them. There won't be anything between the period and "23andme" and there won't be anything in between "23andme.com" after the ".com" and the first forward slash (/).
- If you are signing in with your 23andMe user name and password, be sure that the web address starts with "https://auth.23andme.com/".
- When in doubt, start on the 23andMe home page to log in to your account or enter personal information. Type "23andme.com" directly into your browser rather than clicking on a link.
If you suspect someone has accessed your account, you should immediately change your password and contact Customer Care for assistance. We encourage the use of app-based 2-step verification, so that a threat actor who learns your password cannot log into your account without access to your physical device.
You can choose to have your sample discarded or opt in to have your sample biobanked in your account settings. Taking part in our biobank is voluntary and entirely your choice. If you do not consent to have your samples stored, it will not impact your ability to receive or participate in the 23andMe Service for which you submitted your samples, and your samples will be securely discarded after completion of the analysis for which it was submitted.
If you opt into biobanking, your physical sample is stored in a secure, temperature-controlled environment within our CLIA-certified lab. To protect your identity, all samples are tracked using a barcode—your name and other personal information are never stored on the sample tube itself. You always have the choice to have your sample discarded through your account settings. You can learn more by reviewing our biobanking consent form.
We have a dedicated incident response plan to address potential threats. In the unlikely event of a data breach, our first priority is to secure our systems. We are committed to notifying affected customers promptly, in accordance with all legal requirements, and we will provide clear steps you can take to help protect yourself.
If you lose access to the device you use for 2-step verification, you will need to contact Customer Care to begin the account recovery process. For your protection, our team will guide you through a secure identity verification process before restoring access to your account.
For more details on how we use data and your choices, please see our full Privacy Statement.