Keeping data safe at Nest.

We understand that keeping data secure is critical for everyone: our customers, the developers who connect to our products, and the security experts who watch for vulnerabilities. So if you're a security researcher or developer, here's everything you need to know about how Nest keeps data safe and how you can help.

Our responsible disclosure policy.

If you’re a security researcher and think you’ve found a security vulnerability, we want to hear about it right away. We ask that you give us a reasonable amount of time to respond to your report before making any information public. Please don’t access or modify user data without permission of the account owner and act in good faith not to degrade the performance of our services (including denial of service). If you comply with these requests, we won’t take legal action against you.

  • We’re interested in the following areas:

  • Cross-site scripting (XSS)

  • Cross-site request forgery (CSRF/XSRF)

  • SQL injection (SQLi)

  • Authentication/authorisation for devices or clients

  • Sharing/public model

  • Remote code execution

  • Data exposure

  • Alert/notification spoofing

  • Nest Thermostat, Nest Protect, or Nest Cam local Denial of Service (DoS)

  • Nest Thermostat, Nest Protect, or Nest Cam resets and lockups

  • Wireless vulnerabilities (but not including wireless Denial of Service (DoS))

  • Out-of-scope areas:

  • Website or API Denial of Service (DoS)

  • Wireless Denial of Service (DoS)

  • Issues only present in old/end-of-life browsers and old plugins

Our security submissions and reward policy.

To submit security issues involving Nest products and services, please use To contact us directly to report a vulnerability, email

Frequently asked questions about Nest security.

We do everything in our power to make sure data is used for one purpose: to make your life with Nest better. To find out exactly how we keep data secure, take a look below.

  • What type of encryption do you use?

    Nest apps and Nest Thermostats connect to the Nest cloud service using AES 128-bit encryption and Transport Layer Security (TLS). Nest Protect alarms use a proprietary secure protocol similar to TLS to share data. Dropcams and Nest Cams connect to the Nest cloud service using 2048-bit RSA private keys for key exchange, implement perfect forward secrecy and encrypt data between Dropcam/Nest Cam and the Nest cloud service using AES 128-bit encryption and Transport Layer Security (TLS). Nest devices communicate with each other using Weave.

  • What information is stored on Nest devices?

    Your Nest devices collect setup information like your ZIP or postal code, your Wi-Fi network information, environmental data from sensors like temperature and humidity, temperature adjustments, usage and occupancy information, and more. You can find more information here.

  • How do you store my data online?

    Nest uses Amazon Web Services (AWS) and Google Cloud Platform (GCP) for cloud servers and online storage. Amazon’s security policies can be found . GCP security policies can be found .

  • How does Nest prevent and resolve security issues?

    Nest has a dedicated engineering team that’s focused on monitoring security threats and updating our systems as needed. Members of the operations team are also continually keeping our servers up to date with security patches and operating system updates.

    In addition, Nest has a bounty programme open to security researchers.

  • What access do third parties have through the Works with Nest programme?

    When a developer submits their product to the they must explicitly lay out what information they’ll request, why they need it and what they’ll do with it. For example, they may request control of your Nest Thermostat in order to preheat your house when you’re on your way home.

    When you connect another app to Nest, you’ll be shown what data they’re requesting access to before confirming the connection.

  • Can my Nest device be hacked using the USB port?

    USB-based hacking is a jailbreak that requires physical access to a device. Physical jailbreaks like this don't compromise the security of our servers or the connections to them. There have been no known instances of anyone hacking a Nest product remotely.

If you still have questions about Nest’s approach to privacy, personal information, or how we use the data from Nest products, please take a look at our You can check our to see our approach to storing data on