Security Practices

Security is integral to Wippy’s performance and so we take it seriously. This Security Practices page describes the organizational, technical, and physical controls applicable to Wippy, including our Services, as more specifically described in the Terms of Service agreement with Wippy. These policies and practices may change as the Services and industry evolve, so please check back regularly for updates. Capitalized terms used below but not defined in this policy have the meaning set forth in the Master Subscription Terms and Conditions, or other written agreement between Wippy and applicable customers (the “Terms”).

1. Wippy Controls

• Architecture and Data Segregation: Wippy operates a multi-tenant software-as-a-service system, using a shared infrastructure for all users. We have implemented measures designed to ensure the logical separation of Customer Data, as more specifically defined in a governing agreement with Wippy covering the use of the Services. These measures include the use of access lists and association of Customer Data with unique customer IDs.
• Public Cloud Infrastructure: Wippy utilizes Amazon Web Services (AWS) for its public cloud infrastructure. The services provided by AWS web hosting, user management, backend API, compute, database, monitoring, and automation. Wippy does not use a private or hybrid cloud.

2. Audits: Wippy has a audit system in place designed to continuously monitor for vulnerabilities, instances of non-compliance, and misconfigurations. 

3. Security Controls: Wippy has established a comprehensive security control framework aligned to our defined security policies, risk management program, and industry-leading best practices and standards. This rigorous approach is designed to safeguard the confidentiality, integrity, and availability of any Customer Data that is processed, transmitted, or stored by Wippy.

The security controls that we have put in place encompass a wide range of measures, including:

• Access Management: Wippy uses a centralized system for managing identities, governing access to all key systems and physical access to sensitive office locations. Administrators and incident responders can use this to easily terminate and disable all authenticated sessions. All access is granted based on approved requests and we conduct quarterly reviews of access to any sensitive system.
• Company-wide multi-factor authentication: To protect Wippy staff identities, we employ industry leading security practices, such as requiring all staff members to use a 2FA.
• Audit Logging: We log access and action taken by Wippy staff, as well as all customer authentication-related events. This includes recording details such as the type of device used, IP addresses, and any registered abnormalities such as impossible travel.
• Network Protection: We employ network abnormality detection software, multi-factor authentication based access to servers and databases in the production environment (Wippy relies on Amazon security best practices), firewalls configured according to best practices, and encrypted communications channels utilizing Transport Layer Security 1.2+ (TLS 1.2+) at a minimum.
• Cloud Security Posture Management: We continuously monitor our cloud infrastructure for misconfigurations, as well as exposure, vulnerability, and patch management issues.
• Application Security: We have implemented a secure software development lifecycle policy. New features and significant changes undergo a review process. We also utilize continuous static code scanning and software composition analysis to detect and mitigate any potential vulnerabilities in our applications as early as possible.

It's important to note that the protection of Customer Data is a shared responsibility. Customers have responsibility and control over various measures, including:

• Data sharing: Customers have control over the nature of content they submit to the Services and the sharing of text chats, videos, templates, avatars, voices, documents and assets.
• Content generation: Customers can use or not use AI-assisted generation of content.
  
• Single Sign-On: Customers have control over how Single Sign-On (SSO) is governed on their end.‍
  
• Workspace access: Customers has the option to manage access to their workspace by inviting other users or guests.
  

4. Intrusion Detection: Wippy employs an intrusion detection system around its infrastructure. Wippy partners with 24/7 managed detection and response providers that specialize in identifying and addressing security threats across endpoints, cloud infrastructure, and identities. This proactive approach underpins our commitment to system security and data protection.

5. Security Logs: Security-relevant events originating from Wippy infrastructure, including events related to authentication and actions taken by staff, are logged and audited. These logs are stored and are protected from unauthorized access. Logs cannot be deleted or modified, even by an administrator.

6. Incident Management: Wippy has an established and documented incident response plan for managing incidents. This plan is reviewed once a year and is communicated to all relevant parties. We also have an incident response team that quantifies and monitors incidents involving security, availability, processing integrity, and confidentiality. All incidents are documented in Wippy's security incident register, and all actions taken during an incident are documented and reviewed once the emergency is over. Wippy notifies impacted customers without undue delay of any unauthorized disclosure of their respective Customer Data by Wippy or its agents of which Wippy becomes aware, to the extent permitted by law.

7. Data Encryption: Wippy employs encryption mechanisms designed to protect Customer Data. All stored Customer Data is encrypted using the 256-bit Advanced Encryption Standard (AES-256). The encryption keys are stored and managed within the Amazon services and infrastructure and are rotated periodically. Wippy is designed so that no one, including Wippy or Spiral Scout employees, can retrieve the plaintext KMS keys from the service. All communication is encrypted in transit using TLS 1.2+. We have a cryptography policy in place, which outlines encryption and key management policies and procedures.

8. Reliability, Backup, and Business Continuity: Wippy has a robust system in place designed to improve reliability, backup, and business continuity. Our infrastructure uses Amazon services, which offer resilience against natural disasters in multiple availability zones. The target for full system recovery is set at 72 hours with a recovery point objective of 24 hours. We perform daily backups of the production databases for point-in-time recovery and daily snapshots, retaining these backups for at least three months. Backups are stored securely using Amazon services, encrypted, and access-controlled, following the principle of least privilege. The backup recovery and deployment protocols are tested at least annually. Redundant architecture exists such that resources are distributed across geographically dispersed data centers to help support continuous availability, as described in the data residency section below. Additionally, our business continuity and disaster recovery plans are tested at least annually.

9. Deletion of Customer Data: Customers manage the content they create using the Services and can request that Wippy delete it from the platform. Following a request, it can take up to 90 days for Customer Data to be permanently deleted from Wippy's system, including backups but typically this is done quicker. If a request is made to delete such Customer Data upon termination of an account, Wippy will delete all copies permanently and provide confirmation of deletion. If no request for deletion is made after termination of an account, the information will automatically be deleted within 90 days. 

10. Personnel Practices: Wippy has robust personnel practices in place to help Wippy exercise appropriate control and supervision over its personnel, including strict hiring policies with background checks and scrutiny based on job function and location. All employees are trained on information security and privacy policies as part of the onboarding process, with ongoing periodic security training provided at least annually. Employees must agree to our security policies.

11. Subprocessors: Wippy uses third party entities (each, a “Subprocessor”) to process Customer Data on behalf of our Customers. We carry out compliance reviews of our Subprocessors and Wippy imposes obligations on its Subprocessors to implement appropriate technical and organizational measures around the sub-processing of Customer Data, in accordance with the standards required by applicable data protection laws.

12. Open Source Software: Certain components of the Services may contain open-source software governed by licensing agreements. Wippy has implemented a vulnerability management program designed to detect and remediate vulnerabilities in our codebase and infrastructure.