Trust, security, and compliance

How Wysera handles your data.

We are a brand-new platform shipping in 2026. We are not perfect. We are explicit. This page documents our stance on security, compliance, encryption, AI training, subprocessors, and data residency. Updated quarterly.

Last updated: 2026-06-05

Compliance posture

Where we stand today. Status is honest, not aspirational.

SOC 2 Type II

In progress

Audit underway with Vanta-led control monitoring. Letter of engagement on request.

GDPR

Compliant

EU/EEA data residency available. DPA executable on request. Standard contractual clauses in place.

CCPA / CPRA

Compliant

California consumer rights honored across the platform. Data export and deletion within 30 days.

HIPAA

BAA available

Business Associate Agreement available for healthcare customers. Required for hospice, clinical, and PHI-handling workflows.

ISO 27001

Roadmap 2027

Planned for completion in Q2 2027 after SOC 2 Type II report is issued.

PCI DSS

Not applicable

Wysera never stores or processes card numbers. All payment data lives in Stripe, our payment processor.

Encryption

At rest

AES-256 encryption for all customer data at rest. Encryption keys managed by AWS KMS. Database backups encrypted with separate keys held in a different region.

In transit

TLS 1.3 for all customer-facing endpoints. HSTS enforced. Internal service-to-service traffic uses mutual TLS where appropriate.

Key rotation

KMS master keys rotated annually. Application-level encryption keys rotated every 90 days. Customer-specific keys generated per tenant on Pro Bundle and Enterprise plans.

Field-level redaction

Sensitive fields (PHI, PII) can be flagged for field-level redaction before AI agent processing. Redacted data never leaves the storage layer.

AI training policy

The most-asked question. Four explicit statements.

Customer data never trains public AI models.

We do not send your data to third-party model providers for training. We do not include customer data in fine-tuning datasets for public release.

Customer data trains your own private model context, only.

Wyse learns from your team's edits and approvals to improve drafts for your team specifically. This learning stays scoped to your tenant. Other Wysera customers do not benefit from your data.

Model providers receive only the prompts needed for the task.

When Wyse uses an upstream model (Anthropic, OpenAI), only the prompt content needed for that task is sent. Customer prompts are not retained by the model provider beyond the inference request (per their zero-data-retention contracts).

You can audit every AI decision.

Every Wyse-drafted output is logged with the prompt, the model used, and the output. Searchable. Exportable. Available for the lifetime of your account plus retention period.

Subprocessors

Every service that processes customer data, what it does, and where it runs. Updated when we add or remove a subprocessor.

SubprocessorPurposeRegion
AWSInfrastructure hostingUS-East, EU-Central
AnthropicUpstream LLM (Claude family)US, EU
OpenAIUpstream LLM (GPT family)US
StripePayment processingUS, EU
VantaCompliance monitoring (SOC 2)US
ResendTransactional emailUS, EU
CloudflareCDN, DDoS protectionGlobal
SentryError tracking (PII-scrubbed)US, EU

Data residency

US (default)

Primary infrastructure in AWS us-east-1 (Virginia) with multi-AZ failover. Backups replicated to us-west-2 (Oregon).

EU

Available on Pro Bundle and Enterprise. Infrastructure in AWS eu-central-1 (Frankfurt) with multi-AZ failover. Backups replicated to eu-west-1 (Ireland). Suitable for GDPR-strict customers.

Custom

Dedicated single-tenant deployments available for Enterprise customers needing specific residency (Australia, UK, Canada). Lead time: typically 30-60 days.

Vulnerability disclosure

Found a security issue? Email hi@wysera.ai with the subject line “Security disclosure.” We commit to acknowledging within 24 hours, triaging within 72 hours, patching critical vulnerabilities within 7 days, and crediting the reporter if they choose.

We do not have a paid bug bounty program in 2026, but we will send a thank-you, a credit on the security page (with your permission), and Wysera Pro credits as a token of appreciation for valid reports.

Documents

DPA, security questionnaire, audit letters

Need our Data Processing Agreement, a completed CAIQ, or our SOC 2 audit letter? Email us. We send these to prospects and customers under NDA, usually within 24 hours.

FAQ

Frequently asked questions

How does Wysera keep my data secure?
Wysera encrypts all customer data at rest with AES-256 and in transit with TLS 1.3, with keys managed by AWS KMS and rotated on a set schedule. Sensitive PHI and PII fields can be flagged for redaction before AI processing. Because Wyse drafts and you approve every customer-facing action, a human stays in the loop on anything that ships.
What compliance certifications does Wysera have?
Wysera is GDPR and CCPA/CPRA compliant today. SOC 2 Type II is in progress with a Vanta-led audit underway, and ISO 27001 is on the roadmap for 2027. For healthcare customers, a HIPAA Business Associate Agreement is available on request. Wysera keeps this status honest rather than aspirational, so it does not claim certifications it has not earned yet.
Does Wysera offer a HIPAA BAA?
Yes. A HIPAA Business Associate Agreement is available for healthcare customers and is required for hospice, clinical, and other PHI-handling workflows. Wysera also supports field-level redaction of PHI before AI processing. To request a BAA, email hi@wysera.ai and the team typically responds within 24 hours.
Does Wysera train AI models on my data?
No. Customer data never trains public AI models and is never included in fine-tuning datasets for public release. Wyse learns only from your own team's edits and approvals, scoped to your tenant, so other customers never benefit from your data. When an upstream model runs a task, only the prompt content needed is sent, under zero-data-retention contracts.
Who owns the data in a Wysera account?
You do. Customers own their data and their accounts. Every Wyse-drafted output is logged with its prompt, model, and result, and that history is searchable and exportable for the lifetime of your account. Under CCPA, data export and deletion are honored within 30 days, so you can take your data with you at any time.
Where is my Wysera data stored?
By default, data is hosted in AWS us-east-1 in Virginia with multi-AZ failover and backups in Oregon. EU residency in AWS eu-central-1 in Frankfurt is available on Pro Bundle and Enterprise plans for GDPR-strict customers. Enterprise customers can also request dedicated single-tenant deployments in regions such as Australia, the UK, or Canada.