Security & Compliance

Your data is safe with us

End-to-end encryption, data residency choices, GDPR compliance, annual pen testing, and audit logs โ€” because your customers trust you with their data.

๐Ÿ†

SOC 2 Ready

Our infrastructure runs on AWS SOC 2 Type II certified data centers. We are in active preparation for our own SOC 2 Type II audit.

๐Ÿ‡ช๐Ÿ‡บ

GDPR Compliant

Data processing agreements available. Contact data export and deletion supported via API and the admin panel.

๐Ÿ“‹

ISO 27001 Aligned

Our security controls are designed to align with ISO 27001 information security management principles.

๐Ÿ”

Penetration Tested

Annual penetration testing conducted by an independent third-party security firm. Reports available to Enterprise customers under NDA.

Security controls

Layered security from infrastructure to application level.

Encryption

  • TLS 1.2+ for all data in transit
  • AES-256 encryption for data at rest
  • Encrypted database backups with automated key rotation
  • Secrets management via environment isolation (never in code)

Infrastructure

  • Hosted on AWS with SOC 2 Type II certified data centers
  • Neon PostgreSQL with automatic failover
  • Vercel edge network for global low-latency delivery
  • 99.9% uptime SLA โ€” see our status page
  • DDoS protection and WAF on all endpoints

Access Control

  • Role-based access control (OWNER, ADMIN, AGENT)
  • SAML 2.0 / SSO with Okta, Azure AD, Google Workspace
  • Two-factor authentication (TOTP) enforced per org
  • IP allowlist for workspace access
  • Session timeout policies configurable per organization

Compliance & Auditing

  • Full audit log of admin actions (role changes, settings, deletions)
  • GDPR-ready: contact data export, right to erasure, DPA available
  • Immutable event log for SOC 2 evidence collection
  • Annual penetration testing by third-party security firm

Data Residency

  • India (ap-south-1, Mumbai) โ€” default
  • US East (us-east-1) โ€” available on Enterprise
  • EU (eu-west-1) โ€” available on Enterprise
  • Data Processing Agreement (DPA) included on request
  • No data shared with third parties without explicit consent

Privacy

  • GDPR, PDPB (India), and CCPA aligned practices
  • Anonymisation of deleted contact records
  • Cookie consent and tracking opt-out in the widget
  • Privacy-by-design: minimal data collection

Responsible disclosure

Found a vulnerability? We're grateful. Email admin@winnoventures.co.in with details. We commit to responding within 48 hours and crediting researchers in our hall of fame (if desired).

Security FAQs

Can I get a copy of your penetration test report?

Yes. Enterprise customers can request the most recent penetration test report under NDA. Contact our security team.

Where is my data stored?

By default, data is stored in AWS ap-south-1 (Mumbai, India). Enterprise customers can choose US or EU regions.

Do you offer a Data Processing Agreement (DPA)?

Yes. A standard DPA is available for all paid plans. Contact admin@winnoventures.co.in to request it.

What happens to my data if I cancel?

Your data is retained for 30 days after cancellation so you can export it. After 30 days, all data is permanently deleted from our systems.

How do you handle security vulnerabilities?

We follow responsible disclosure. Report vulnerabilities to admin@winnoventures.co.in and we will respond within 48 hours.

Need more detail for your security review?

We'll share our pen test reports, answer your vendor security questionnaire, and walk you through our controls.

Contact our security team