Security Practices

Last Updated: August 15, 2025

Overview

Security is integral to Wippy. This page describes the organizational, technical, and physical controls we apply to our platform and services.

1. Controls

• Multi-tenant SaaS with logical separation of customer data via access lists and unique customer IDs
• Infrastructure hosted on Amazon Web Services (AWS)

2. Audits

Continuous monitoring system designed to identify vulnerabilities, non-compliance, and misconfigurations.

3. Security Controls Framework

• Centralized identity management with quarterly access reviews
• Multi-factor authentication required for all staff members
• Access and action logging with device type, IP addresses, and anomaly detection
• Network protection using abnormality detection, firewalls, and TLS 1.2+ encryption
• Cloud security posture management
• Secure software development lifecycle with code scanning

Customer Responsibilities:

• Data sharing and content submission control
• AI-assisted content generation choices
• Single Sign-On governance
• Workspace access management

4. Intrusion Detection

24/7 managed detection and response partnerships monitoring endpoints, cloud infrastructure, and identities.

5. Security Logs

Immutable logging of security events. Logs cannot be deleted or modified by administrators.

6. Incident Management

Documented incident response plan reviewed annually. Customer notification occurs without undue delay of unauthorized data disclosure.

7. Data Encryption

• AES-256 encryption for stored data
• TLS 1.2+ for communications
• Keys managed within AWS infrastructure with periodic rotation

8. Reliability and Business Continuity

• Recovery target: 72 hours
• Recovery point objective: 24 hours
• Daily backups retained for 3+ months
• Annual testing of recovery protocols

9. Data Deletion

Customers can request deletion; processing takes up to 90 days. Automatic deletion occurs within 90 days of account termination if not requested otherwise.

10. Personnel Practices

• Background checks during hiring
• Mandatory security training during onboarding and annually
• Non-Disclosure Agreements required
• Role-based access with least privilege principles
• Immediate access termination upon employment conclusion

11. Subprocessors

Third-party entities are reviewed for compliance with technical and organizational data protection standards.

12. Open Source Software

Vulnerability management program in place. Services contain no open-source requiring IP disclosure or redistribution.