SOC 2 Type II
In progressAudit underway with Vanta-led control monitoring. Letter of engagement on request.
Trust, security, and compliance
How Wysera handles your data.
We are a brand-new platform shipping in 2026. We are not perfect. We are explicit. This page documents our stance on security, compliance, encryption, AI training, subprocessors, and data residency. Updated quarterly.
Last updated: 2026-06-05
Compliance posture
Where we stand today. Status is honest, not aspirational.
GDPR
CompliantEU/EEA data residency available. DPA executable on request. Standard contractual clauses in place.
CCPA / CPRA
CompliantCalifornia consumer rights honored across the platform. Data export and deletion within 30 days.
HIPAA
BAA availableBusiness Associate Agreement available for healthcare customers. Required for hospice, clinical, and PHI-handling workflows.
ISO 27001
Roadmap 2027Planned for completion in Q2 2027 after SOC 2 Type II report is issued.
PCI DSS
Not applicableWysera never stores or processes card numbers. All payment data lives in Stripe, our payment processor.
Encryption
At rest
AES-256 encryption for all customer data at rest. Encryption keys managed by AWS KMS. Database backups encrypted with separate keys held in a different region.
In transit
TLS 1.3 for all customer-facing endpoints. HSTS enforced. Internal service-to-service traffic uses mutual TLS where appropriate.
Key rotation
KMS master keys rotated annually. Application-level encryption keys rotated every 90 days. Customer-specific keys generated per tenant on Pro Bundle and Enterprise plans.
Field-level redaction
Sensitive fields (PHI, PII) can be flagged for field-level redaction before AI agent processing. Redacted data never leaves the storage layer.
AI training policy
The most-asked question. Four explicit statements.
Customer data never trains public AI models.
We do not send your data to third-party model providers for training. We do not include customer data in fine-tuning datasets for public release.
Customer data trains your own private model context, only.
Wyse learns from your team's edits and approvals to improve drafts for your team specifically. This learning stays scoped to your tenant. Other Wysera customers do not benefit from your data.
Model providers receive only the prompts needed for the task.
When Wyse uses an upstream model (Anthropic, OpenAI), only the prompt content needed for that task is sent. Customer prompts are not retained by the model provider beyond the inference request (per their zero-data-retention contracts).
You can audit every AI decision.
Every Wyse-drafted output is logged with the prompt, the model used, and the output. Searchable. Exportable. Available for the lifetime of your account plus retention period.
Subprocessors
Every service that processes customer data, what it does, and where it runs. Updated when we add or remove a subprocessor.
| Subprocessor | Purpose | Region |
|---|---|---|
| AWS | Infrastructure hosting | US-East, EU-Central |
| Anthropic | Upstream LLM (Claude family) | US, EU |
| OpenAI | Upstream LLM (GPT family) | US |
| Stripe | Payment processing | US, EU |
| Vanta | Compliance monitoring (SOC 2) | US |
| Resend | Transactional email | US, EU |
| Cloudflare | CDN, DDoS protection | Global |
| Sentry | Error tracking (PII-scrubbed) | US, EU |
Data residency
US (default)
Primary infrastructure in AWS us-east-1 (Virginia) with multi-AZ failover. Backups replicated to us-west-2 (Oregon).
EU
Available on Pro Bundle and Enterprise. Infrastructure in AWS eu-central-1 (Frankfurt) with multi-AZ failover. Backups replicated to eu-west-1 (Ireland). Suitable for GDPR-strict customers.
Custom
Dedicated single-tenant deployments available for Enterprise customers needing specific residency (Australia, UK, Canada). Lead time: typically 30-60 days.
Vulnerability disclosure
Found a security issue? Email me@gkotte.com with the subject line “Security disclosure.” We commit to acknowledging within 24 hours, triaging within 72 hours, patching critical vulnerabilities within 7 days, and crediting the reporter if they choose.
We do not have a paid bug bounty program in 2026, but we will send a thank-you, a credit on the security page (with your permission), and Wysera Pro credits as a token of appreciation for valid reports.
Documents
DPA, security questionnaire, audit letters
Need our Data Processing Agreement, a completed CAIQ, or our SOC 2 audit letter? Email us. We send these to prospects and customers under NDA, usually within 24 hours.