Security Policy

Last Updated: December 1, 2024

SECURITY FIRST: Whispie implements industry-leading security measures to protect sensitive baby and family data. Our security program is designed to meet or exceed global security standards.

1. Security Philosophy

At Whispie, security is fundamental to our mission of protecting families' most sensitive information. We implement a defense-in-depth strategy with multiple layers of security controls to ensure comprehensive protection of all data entrusted to us.

Our security philosophy is built on three core principles:

2. Security Certifications and Compliance

2.1 Compliance Frameworks

Whispie aligns with multiple international security standards and frameworks:

Framework Status Scope
SOC 2 Type II In Progress Security, Availability, Confidentiality
ISO 27001 Planned 2025 Information Security Management
GDPR Compliant Data Protection & Privacy
CCPA/CPRA Compliant California Privacy
KVKK Compliant Turkey Data Protection
HIPAA Guidelines Followed Health Information Privacy

2.2 Regional Compliance

Whispie maintains compliance with data protection regulations in all operating regions:

3. Technical Security Controls

3.1 Infrastructure Security

Control Area Implementation Provider
Cloud Infrastructure Secure, scalable cloud architecture with multi-zone redundancy AWS, Supabase
Network Security VPC, security groups, WAF, DDoS protection Cloudflare, AWS
Encryption TLS 1.3 in transit, AES-256 at rest Supabase, AWS
Backup & Recovery Automated daily backups, 30-day retention Supabase, AWS

3.2 Application Security

Secure Development Lifecycle (SDL):

Authentication & Authorization:

3.3 Data Security

Data Classification:

Classification Examples Protection Level
Highly Sensitive Health data, vaccination records Maximum encryption, strict access controls
Sensitive Personal information, contact details Strong encryption, role-based access
Internal Application logs, analytics data Encryption, access logging

Data Encryption:

4. Organizational Security

4.1 Employee Security

4.2 Security Policies

5. Third-Party Security

5.1 Vendor Security Assessment

All third-party vendors undergo security assessment before integration:

Vendor Service Security Certifications Data Processing
Supabase Database & Auth SOC 2, GDPR Subprocessor
Stripe Payments PCI DSS Level 1, SOC 2 Payment Processor
Twilio SMS SOC 2, ISO 27001 Subprocessor
Cloudflare Security & DNS SOC 2, ISO 27001 Infrastructure
Sentry Error Tracking SOC 2, GDPR Subprocessor

5.2 Subprocessor Management

We maintain Data Processing Addendums (DPAs) with all subprocessors and regularly review their security posture.

6. Incident Response

6.1 Incident Response Plan

Our incident response plan follows the NIST framework:

6.2 Breach Notification

In the event of a data breach, Whispie will:

7. Security Monitoring and Testing

7.1 Continuous Monitoring

7.2 Security Testing

8. Physical and Environmental Security

8.1 Data Center Security

Whispie utilizes enterprise-grade data centers with:

8.2 Office Security

Our corporate offices implement:

9. Business Continuity and Disaster Recovery

9.1 Business Continuity Plan

9.2 High Availability

Whispie maintains 99.9% uptime through:

10. Security Awareness Training

10.1 Employee Training

All employees complete comprehensive security training covering:

10.2 Ongoing Education

11. Policy Governance

11.1 Policy Review

This Security Policy is reviewed and updated:

11.2 Compliance Monitoring

We continuously monitor compliance through:

12. Contact and Reporting

12.1 Security Contacts

For security-related inquiries or to report security concerns:

Security Team: [email protected]

Privacy Team: [email protected]

Abuse Reports: [email protected]

12.2 Vulnerability Reporting

We welcome responsible vulnerability disclosures. Please report security vulnerabilities to [email protected] with:

SECURITY COMMITMENT: Whispie is committed to maintaining the highest standards of security to protect our users' sensitive information. We continuously invest in security measures and regularly update our practices to address evolving threats.