WITONE — Innovate Securely

/ Security

Security

WitOne is the security layer for our customers' programs. We hold ourselves to the bar we sell. Here's what that looks like.

Certifications

  • SOC 2 Type II — annually audited
  • ISO/IEC 27001 — Information Security Management System
  • ISO/IEC 42001 — AI Management System
  • HIPAA — eligible deployments with BAAs
  • PCI DSS — Service Provider Level 1 attestation for in-scope environments
  • FedRAMP — alignment artifacts available for public-sector customers
  • CSA STAR Self-Assessment

Encryption

  • TLS 1.3 in transit, AES-256 envelope encryption at rest
  • Customer-managed keys (BYOK) on AWS KMS, Azure Key Vault, GCP KMS
  • HSM-backed signing for high-trust workloads
  • Mutual-TLS between internal services

Access control

  • Phishing-resistant MFA enforced for all employees and contractors
  • Least-privilege IAM with role-based access
  • Production access logged immutably and reviewed monthly
  • Just-in-time elevation for break-glass scenarios
  • Quarterly access reviews tied to HR records

Software supply chain

  • Signed builds with Sigstore / SLSA Level 3 attestations
  • Pinned dependencies and continuous SCA
  • SBOMs published for every release
  • Mandatory peer review and CI security gates
  • Secret scanning on every commit

Infrastructure

  • Hosted on hyperscale providers (AWS, Azure, GCP) with multi-region failover
  • Network segmentation and zero-trust between services
  • Continuous CSPM and drift detection (we use ECOS on ourselves)
  • DDoS protection at the edge

Monitoring & response

  • The WitOne SOC monitors WitOne itself, 24/7
  • Sentinel guards every internal AI agent and tool
  • Detection-as-code coverage mapped to MITRE ATT&CK
  • Quarterly red-team and tabletop exercises

Incident response

  • 24-hour disclosure SLA on confirmed customer-impacting security incidents
  • Signed status updates throughout incident lifecycle
  • Post-incident review published within 30 days of resolution
  • Direct line to a named lead engineer during major incidents

Bug bounty

We operate a bug bounty program through a third-party platform. Researchers acting in good faith and within program scope are protected by safe-harbor terms. Initial submissions and questions: security@witone.one.

Documentation requests

SOC 2 Type II reports, penetration test summaries, security questionnaires (CAIQ-Lite, SIG-Lite), and BAAs are available under NDA. Contact trust@witone.one. See also our Trust Center.