WITONE — Innovate Securely

/ Trust

Trust Center

WitOne is the security layer for our customers' programs — which means we hold ourselves to the bar we sell. This is how.

Compliance certifications

  • SOC 2 Type II — annually audited (last report available on request)
  • ISO/IEC 27001 — Information Security Management System
  • ISO/IEC 42001 — AI Management System (added 2026)
  • HIPAA — eligible deployments with BAAs in place
  • PCI DSS — Service Provider Level 1 attestation for in-scope environments
  • FedRAMP — alignment artifacts available for public-sector engagements
  • CSA STAR — Self-Assessment published

Security posture

  • Customer-managed keys (BYOK) on AWS KMS, Azure Key Vault, GCP KMS
  • TLS 1.3 in transit; AES-256 envelope encryption at rest
  • Phishing-resistant MFA enforced for all employees and contractors
  • Least-privilege IAM with break-glass auditing
  • Production access logged and reviewed monthly
  • Continuous secret scanning and dependency pinning
  • Bug bounty program operated through a third-party platform

Sub-processors

A current list of sub-processors is published and notified in advance of any changes. Customers can subscribe to the sub-processor change feed via email.

Data residency

  • US, EU, and UK regions available
  • No cross-region replication unless customer-elected
  • Single-tenant deployments available for regulated workloads

Incident response

  • 24-hour disclosure SLA on confirmed customer-impacting security incidents
  • Signed status updates throughout incident lifecycle
  • Post-incident review published within 30 days of resolution
  • Direct line to a named lead engineer during major incidents

Customer rights

  • Right to audit — annually, with reasonable notice
  • Right to data export in a machine-readable format
  • Right to data deletion at end of contract, with attestation
  • Right to portability of detection and policy artifacts

Vulnerability disclosure

If you believe you've found a security issue, please contact security@witone.one. We commit to acknowledging within one business day. We participate in a coordinated disclosure program with safe-harbor provisions for good-faith research.

Documentation requests

SOC 2 Type II reports, penetration test summaries, security questionnaires (CAIQ-Lite, SIG-Lite), and BAAs are available under NDA. Contact trust@witone.one.