WiseHQ
TermsPrivacySecuritySign In

Security

Effective · Version 1.0.0

We take security seriously. This page explains how WiseHQ protects your data and how to report security issues.

Data Protection

All data is encrypted in transit (TLS 1.3) and at rest (AES-256 via Supabase's underlying Postgres encryption). Passwords are hashed with bcrypt. Uploaded files are stored in Supabase Storage with signed URL access.

Access Controls

  • Multi-tenant isolation: Every customer organization's data is logically isolated using PostgreSQL Row-Level Security. One org's users cannot read, query, or modify another org's data, even via direct API calls.
  • Role-based permissions: Five-tier role hierarchy (Owner, Admin, Manager, Staff, Volunteer) with per-module permission matrix configurable by admins.
  • Principle of least privilege: Users see only what they need for their role.
  • Audit logging: All authentication events, permission changes, and sensitive operations logged with timestamp, actor, IP, and user agent.

Infrastructure

  • Hosting: Vercel (SOC 2 Type 2 certified). Static assets served via CDN.
  • Database & storage: Supabase (SOC 2 Type 2 certified). Data residency: US East by default; EU residency available on request.
  • Email delivery: Resend (SOC 2 Type 2 certified).
  • Payments: Stripe (PCI DSS Level 1). Credit card details never touch our servers.
  • AI: Anthropic Claude API. Your data is not used to train AI models.

Security Headers

Every response sets modern security headers including Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, and a Permissions-Policy that disables unused browser APIs.

Authentication

  • Email + password with bcrypt hashing
  • Google OAuth 2.0
  • Optional magic link sign-in (passwordless)
  • Email verification required before first login
  • Password reset via time-limited tokens
  • Session management via secure HTTP-only cookies
  • Automatic sign-out after extended inactivity

Sharing & Access

  • Document share links: Time-limited tokens, optional passwords, view-only or download-allowed, revocable at any time, access-logged.
  • Invitations: Email-matched tokens, 14-day expiry, revocable.
  • E-signatures: In-house signatures record IP, timestamp, user agent. For legally-binding signatures, connect DocuSign, Dropbox Sign, or BoldSign.

Backups & Disaster Recovery

  • Daily automated backups via Supabase (7-day retention on Free, 30-day on Pro, 90-day on Team)
  • Point-in-time recovery available
  • Quarterly disaster recovery testing

Compliance

  • GDPR: Data processing agreements available. Data export and deletion supported via Settings.
  • CCPA: California residents have right to know, delete, and opt-out of sale (we do not sell data).
  • Subprocessor list: See our Privacy Policy for the current list.
  • Data Processing Agreement: Available upon request from help@getwisehq.com.

Incident Response

In the event of a data breach affecting personal data, we will:

  • Contain and remediate the issue as quickly as possible
  • Notify affected users within 72 hours (GDPR) or as legally required
  • Provide guidance on protective steps they can take
  • Work with law enforcement if appropriate
  • Publish a post-mortem describing what happened and what we changed

Reporting Security Issues

Found a vulnerability? Please report it to help@getwisehq.com.

Please include:

  • A description of the issue
  • Steps to reproduce (include URLs, payloads, screenshots)
  • Your assessment of potential impact
  • Your contact info

We commit to:

  • Acknowledging your report within 48 hours
  • Keeping you updated as we investigate and fix
  • Crediting you in our security advisories (unless you prefer anonymity)
  • Not taking legal action against good-faith security research

Please do not:

  • Publicly disclose issues before we've had a chance to address them
  • Access, modify, or destroy other users' data
  • Perform denial-of-service attacks
  • Use social engineering against WiseHQ staff or customers

Security Policies for Customers

We recommend all WiseHQ organizations:

  • Enable 2FA on the Google account used for Google OAuth
  • Use strong unique passwords (consider a password manager)
  • Review team members and roles quarterly
  • Revoke access promptly when team members leave
  • Don't share login credentials — use invitations instead
  • Treat share links carefully — they grant access to whoever has the URL

Changes

This page may be updated as our security posture evolves. Material changes will be announced via email and in-app notice. Current version: 1.0.0 (April 23, 2026).

Questions? legal@getwisehq.com