Wisanna Security Policy & TOMs Last Updated: January 6, 2026 At Wisanna, we prioritize the security of your data. This page outlines the Technical and Organizational Measures (TOMs) we implement to protect the confidentiality, integrity, and availability of our Service and our customers' data. 1. Security Philosophy We follow a "security by design" approach, integrating security best practices into our development lifecycle and infrastructure management. Our security program is designed to meet the requirements of the GDPR and other applicable data protection laws, ensuring that data is processed securely and transparently. 2. Cloud Infrastructure and Hosting 2.1. Cloud Providers Wisanna’s infrastructure is hosted primarily on the Google Cloud Platform (GCP), a premier tier-1 cloud provider with industry-leading security certifications (including ISO 27001, SOC 2 Type II, and GDPR compliance). We also utilize distinct services from other trusted providers (such as OpenAI and Anthropic) for specific AI capabilities. 2.2. Physical Security Wisanna does not maintain physical servers. We rely on our cloud providers' physical security measures, which include 24/7 onsite security, biometric access controls, and video surveillance at their data centers. 2.3. Data Segregation Our multi-tenant architecture is designed to logically segregate customer data. We use unique identifiers (such as Tenant IDs and User IDs) to ensure that a customer’s data is accessible only by that customer’s authorized users. 3. Data Encryption 3.1. Encryption in Transit All data transmitted between your device and Wisanna, as well as between Wisanna’s internal services and third-party integrations, is encrypted using strong industry-standard protocols (TLS 1.2 or higher). 3.2. Encryption at Rest Customer data stored in our databases, object storage, and backups is encrypted at rest using strong encryption standards (such as AES-256) managed by our cloud infrastructure providers. 4. Access Control and Authentication 4.1. User Authentication We utilize robust authentication mechanisms (powered by Google Identity Platform/Firebase Authentication) to verify user identity. We do not store user passwords directly; instead, we rely on secure token-based authentication. 4.2. Internal Access (Least Privilege) Access to production data by Wisanna personnel is restricted based on the Principle of Least Privilege. ■ Access is granted only to employees who require it for their role (e.g., engineering or senior support staff). ■ Administrative access requires multi-factor authentication (MFA). ■ Access rights are reviewed periodically, and access is revoked immediately upon termination of employment. 4.3. Customer Support Access Our support team does not access your private documents unless explicitly authorized by you for debugging purposes or as required by law. 5. Network Security 5.1. Network Defense Our infrastructure is protected by cloud-native firewalls and network security groups. We restrict network traffic to necessary protocols and ports, denying all other traffic by default. 5.2. Logging and Monitoring We maintain centralized logs for security and operational events (including API usage, access attempts, and system errors). These logs are: ■ Stored securely with restricted access. ■ Retained for a limited period to facilitate security investigations. ■ Used to detect potential abuse or anomalous patterns. 6. Application Security and Development 6.1. Secure Development Lifecycle (SDLC) ■ Code Reviews: All code changes undergo peer review before being deployed to production. ■ Separation of Environments: We maintain separate environments for development, testing, and production to prevent unintended data exposure. ■ Dependency Management: We regularly scan and update third-party libraries and dependencies to mitigate known vulnerabilities. 6.2. AI Safety We implement safeguards in our AI integrations to ensure data is processed according to our instructions. As stated in our Terms (https://wisanna.com/legal/terms) and DPA (https://wisanna.com/legal/dpa), we do not use Customer Content to train core foundation AI models for the benefit of other customers. 7. Operational Security and Incident Response 7.1. Incident Response Plan We maintain an Incident Response Plan to address security events promptly. This includes procedures for: ■ Detection and analysis of security incidents. ■ Containment and eradication of threats. ■ Restoration of services. 7.2. Breach Notification In the event of a confirmed Personal Data Breach, Wisanna will notify affected customers without undue delay (consistent with GDPR requirements, typically within 72 hours of becoming aware of the breach). 8. Business Continuity and Availability 8.1. Backups We perform regular automated backups of critical data stores to protect against data loss. Backups are encrypted and stored across multiple availability zones where supported by the cloud provider. 8.2. Resilience Our infrastructure is designed for high availability, utilizing cloud scaling and redundancy features to minimize downtime. 9. Responsible Disclosure We welcome reports from security researchers and users regarding potential vulnerabilities in our Service. ● Contact: Please report security issues to security@wisanna.com. ● Policy: We ask that you do not exploit vulnerabilities to access others' data or disrupt our service. We will acknowledge receipt of reports and strive to fix confirmed issues promptly. 10. References - Terms of Use: https://wisanna.com/legal/terms - Data Processing Agreement (DPA): https://wisanna.com/legal/dpa - Security Policy & TOMs: https://wisanna.com/legal/security - Sub-processors: https://wisanna.com/legal/sub-processors