WingSpanAi Trust Center
Live hub for our security, privacy, compliance, and resilience posture.
This page is a living document. Items marked Pending will be released according to the roadmap shown below.
Your data deserves enterprise-grade protection and absolute transparency. This Trust Center aggregates everything you and your security reviewers need to evaluate WingSpanAi's posture across Security, Privacy, Compliance, and Resilience.
Security
AES-256 at rest · TLS 1.2/1.3 in transit · Google KMS keys
Privacy
DPA & Privacy Policy published · DSAR Portal Pending
Compliance
ISO 27001:2022 ✓ · ISO 9001:2015 ✓ · SOC 2 Type II Pending
Resilience
Daily backups · 7-day PITR · Public uptime widget Pending
1. Security
1.1 Encryption & Key Management
- Data at rest: AES-256, encrypted by Google-managed keys within Firebase.
- Data in transit: All connections use TLS 1.2+.
- Key management: Google Cloud KMS. Customer Managed Keys (BYOK) – Pending.
1.2 Architecture Overview
PNG pending final design review (ETA Q4 2025).
1.3 Policies & SDLC
- Information-Security Policy Bundle
- Secure SDLC templates integrated into pull-request workflow
1.4 Penetration Tests
- Frequency: Annual external OWASP ASVS penetration test (requirement for ISO 27001 continuous improvement)
- Last test: September 2024 – full report available under NDA; high-severity findings remediated within 30 days.
- Next test: September 2025 – redacted executive summary will be published here. (Pending)
2. Privacy
- Privacy Policy
- Data Processing Addendum (DPA)
- Collection Notice (APP 5): Users are informed of data collection via onboarding check-boxes, in-product banners, and contextual tooltips before any personal information is captured.
- Retention & Destruction (APP 11):
Data Type Retention Period Deletion / De-identification Method Customer account data 12 months post-contract (default 7-year legal fallback) Cryptographic erasure + Firestore TTL Prospect data 3 years after last engagement Automated batch delete Logs & telemetry 13 months Rolling window overwrite - Sub-processors (interim list):
Vendor Service Region Google Cloud / Firebase Hosting, DB, Auth, KMS US-central1 Vercel Edge delivery US / EU Pinecone Vector DB US-East-1 Full registry launches August 2025 with RSS change alerts.
- DSAR Portal: Form-based workflow to request, export, or delete data (Pending – Q3 2025)
Cross-border safeguards: OAIC s 16C contractual clauses & EU SCCs adopted where applicable.
3. Compliance & Certifications
| Certification | Status | Last Audit | Scope | Downloads |
|---|---|---|---|---|
| ISO 27001:2022 | ✅ Certified | Feb 2025 | ISMS for all production systems | Public attestation · Full report (NDA) |
| ISO 9001:2015 | ✅ Certified | Jan 2025 | Company-wide QMS | Public attestation |
| SOC 2 Type II | 🚧 Pending | Audit in progress · ETA Jan 2026 | Security, availability & confidentiality | — |
4. Resilience & Uptime
| Control | Metric |
|---|---|
| Backups | Daily snapshots; retained 14 weeks |
| Point-in-Time Recovery | ≤ 7 days |
| RPO | ≤ 1 hour |
| RTO | ≤ 24 hours |
| Historical uptime | 99.95 % (rolling 12 months) |
Public status page widget Pending – July 2025.
SOCI Act Notice: While WingSpanAi is not currently classified as critical infrastructure under the SOCI Act, we voluntarily align with its 72-hour breach-reporting expectation (s 30BC) for any material security incident.
5. AI & Data Ethics (RAFT™)
- No customer data is used to train LLMs.
- Vector embeddings are tenant-segregated and encrypted at rest.
- Quarterly model bias & privacy audit (first report: Q3 2025).
RAFT™ safeguards white paper (Pending – October 2025)
6. Roadmap for Pending Items
| Item | ETA |
|---|---|
| Sub-processor live registry & RSS | Aug 2025 |
| DSAR self-service portal | Sep 2025 |
| Public status page widget | Jul 2025 |
| External pen-test summary | Oct 2025 |
| RAFT™ safeguards white paper | Oct 2025 |
| SOC 2 Type II report | Jan 2026 |
| Bug-bounty programme | 2026 |
Legal Jurisdiction: This Trust Center and all associated legal documents are governed by the laws of New South Wales, Australia.
2025 WingSpanAi. All rights reserved.
Contact & Questions
Security
security@wingspanai.com.au
PGP fingerprint: 3F2A B9D6 8D1E 1234 5678 90AB CDEF 0123 4567 89AB
We triage critical incidents within 4 hours and provide initial containment guidance.
Privacy / DPO
Compliance
We usually respond within 48 hours.