Security

1. Posture

Wouessi sells into regulated buyers. Our security posture is the same one we hand our enterprise customers on day one.

2. Compliance

• SOC 2 Type I · in flight, target Q4 2026.
• ISO/IEC 27001 · gap assessment complete; implementation 2027.
• OSFI B-13 alignment for Canadian financial-services engagements.
• HIPAA Business Associate posture for US health customers.
• FedRAMP Moderate equivalent posture available for federal engagements (US + CA Protected B).

3. Technical controls

• TLS 1.3 in transit; AES-256 at rest.
• Mandatory MFA for all employee accounts.
• RBAC with least-privilege defaults; quarterly access reviews.
• Append-only audit logs on every customer system.
• Annual third-party penetration test (next: October 2026).
• Static analysis (SAST), dependency scanning (Dependabot + Snyk), secrets scanning on every commit.
• SBOMs for every release; SLSA-3 build provenance for new pipelines.

4. Subprocessors

We use a small, named list of subprocessors. Each is contractually bound to our security and privacy standards. Current list: AWS (compute, storage), Google Workspace (email, docs), Cloudflare (DNS, WAF, CDN), Stripe (billing), Linear (project tracking). The full list with locations and purposes is updated within 14 days of any change at security@wouessi.com.

5. Vulnerability disclosure

Researchers can report vulnerabilities to security@wouessi.com. Public PGP key on request. Safe-harbor commitment: we do not pursue legal action against good-faith research that respects user privacy and does not exfiltrate data.

6. Incident response

Customer-impacting incidents are communicated within 72 hours of confirmation, by name and in writing, with a written postmortem within 14 days. We retain a 24/7 on-call rotation across our three time zones.

7. Contact

Security · security@wouessi.com · 1-844-WOUESSI