WingSpanAi Trust Center
Live hub for our security, privacy, compliance, and resilience posture.
This page is a living document. Items marked Pending will be released according to the roadmap shown below.
Your data deserves enterprise-grade protection and absolute transparency. This Trust Center aggregates everything you and your security reviewers need to evaluate WingSpanAi's posture across Security, Privacy, Compliance, and Resilience.
Security
AES-256 at rest · TLS 1.2/1.3 in transit · Google KMS keys
Privacy
DPA & Privacy Policy published · DSAR Portal Pending
Compliance
ISO 27001:2022 Pending · ISO 9001:2015 Pending · SOC 2 Type II Pending
Resilience
Daily backups · 7-day PITR (core systems; 24-hour API cache excluded) · Public uptime widget Pending
1. Security
1.1 Encryption & Key Management
- Account security: MFA enforced for all accounts (clients, partners, employees) via Firebase Auth.
- Data at rest: AES-256, encrypted by Google-managed keys within Firebase.
- Data in transit: All connections use TLS 1.2+.
- Key management: Google Cloud KMS. Customer Managed Keys (BYOK) – Pending.
1.2 Architecture Overview
PNG pending final design review (ETA Q1 2026).
Google Cloud/Firebase ap-southeast-2 hosting; no data leaves Australia.
1.3 Policies & SDLC
- Information-Security Policy Bundle
- Secure SDLC templates integrated into pull-request workflow
- Patch Management: Automated patch management via Google Cloud auto-updates + Firebase managed services
- Critical security patches: Within 7 days
- High severity: Within 14 days
- Standard updates: Monthly maintenance window
1.4 Penetration Tests
- Frequency: Annual external OWASP ASVS penetration test (requirement for ISO 27001 continuous improvement)
- OWASP ZAP Baseline (Feb 5, 2026): 61 PASS, 0 FAIL, 6 WARN (CSP + low/info only) – View Report
- Next test: External OWASP ASVS penetration test, September 2026 – redacted executive summary will be published here. (Pending)
2. Privacy
- Privacy Policy
- Data Processing Addendum (DPA)
- Collection Notice (APP 5): Users are informed of data collection via onboarding check-boxes, in-product banners, and contextual tooltips before any personal information is captured.
- Retention & Destruction (APP 11):
Data Type Retention Period Deletion / De-identification Method Customer account data 12 months post-contract (default 7-year legal fallback) Cryptographic erasure + Firestore TTL Prospect data 3 years after last engagement Automated batch delete Third-Party API Cache Data (e.g., PracSuite) 24 hours maximum Firestore TTL auto-delete; excluded from backups Logs & telemetry 13 months Rolling window overwrite - Sub-processors:
For Third-Party API Integration Data (e.g., PracSuite)
These subprocessors may receive or process data from third-party API integrations:
Vendor Service Region Data Retention Google Cloud / Firebase Hosting, DB, Auth, KMS ap-southeast-2 Sydney 24 hours max (TTL) Full registry launches Q3 2026 with RSS change alerts. For API integration-specific subprocessor questions, contact privacy@wingspanai.com.au
- DSAR Portal: Form-based workflow to request, export, or delete data (Pending – Q2 2026)
Cross-border safeguards: OAIC s 16C contractual clauses & EU SCCs adopted where applicable.
3. Compliance & Certifications
| Certification | Status | Last Audit | Scope | Downloads |
|---|---|---|---|---|
| ISO 27001:2022 | 🚧 Pending | Audit in progress · ETA Q2 2026 | ISMS for all production systems | — |
| ISO 9001:2015 | 🚧 Pending | Audit in progress · ETA Q2 2026 | Company-wide QMS | — |
| SOC 2 Type II | 🚧 Pending | Audit in progress · ETA Q2 2026 | Security, availability & confidentiality | — |
4. Resilience & Uptime
| Control | Metric |
|---|---|
| Backups | Daily snapshots; retained 14 weeks |
| Point-in-Time Recovery | ≤ 7 days |
| RPO | ≤ 1 hour |
| RTO | ≤ 24 hours |
| Historical uptime | 99.95 % (rolling 12 months) |
Public status page widget Pending – Q3 2026.
SOCI Act Notice: While WingSpanAi is not currently classified as critical infrastructure under the SOCI Act, we voluntarily align with its 72-hour breach-reporting expectation (s 30BC) for any material security incident.
5. AI & Data Ethics (RAFT™)
- No customer data is used to train LLMs.
- Vector embeddings are tenant-segregated and encrypted at rest.
- Quarterly model bias & privacy audit (first report: Q1 2026).
RAFT™ safeguards white paper (Pending – May 2026)
6. Roadmap for Pending Items
| Item | ETA |
|---|---|
| Sub-processor live registry & RSS | Q3 2026 |
| DSAR self-service portal | Q2 2026 |
| Public status page widget | Q3 2026 |
| External pen-test summary | Sep 2026 |
| RAFT™ safeguards white paper | May 2026 |
| SOC 2 Type II report | Q2 2026 |
| Bug-bounty programme | 2026 |
Legal Jurisdiction: This Trust Center and all associated legal documents are governed by the laws of New South Wales, Australia.
2026 WingSpanAi. All rights reserved.
Contact & Questions
Security
We triage critical incidents within 4 hours and provide initial containment guidance.
Privacy / DPO
Compliance
We usually respond within 48 hours.