Security Policy
Last Updated: December 1, 2024
SECURITY FIRST: Whispie implements industry-leading security measures to protect sensitive baby and family data. Our security program is designed to meet or exceed global security standards.
1. Security Philosophy
At Whispie, security is fundamental to our mission of protecting families' most sensitive information. We implement a defense-in-depth strategy with multiple layers of security controls to ensure comprehensive protection of all data entrusted to us.
Our security philosophy is built on three core principles:
- Privacy by Design: Security and privacy considerations are integrated into every stage of development
- Zero Trust Architecture: Verify explicitly, use least privilege access, and assume breach
- Continuous Improvement: Regular security assessments and proactive threat monitoring
2. Security Certifications and Compliance
2.1 Compliance Frameworks
Whispie aligns with multiple international security standards and frameworks:
| Framework | Status | Scope |
| SOC 2 Type II | In Progress | Security, Availability, Confidentiality |
| ISO 27001 | Planned 2025 | Information Security Management |
| GDPR | Compliant | Data Protection & Privacy |
| CCPA/CPRA | Compliant | California Privacy |
| KVKK | Compliant | Turkey Data Protection |
| HIPAA | Guidelines Followed | Health Information Privacy |
2.2 Regional Compliance
Whispie maintains compliance with data protection regulations in all operating regions:
- European Union: GDPR compliance with EU Representative
- United Kingdom: UK-GDPR compliance
- United States: State-specific privacy laws including CCPA, CPA, VCDPA
- Turkey: KVKK compliance with VERBIS registration
- Middle East: PDPL (KSA), UAE Data Law compliance
- Asia Pacific: PDPA (Singapore), APPI (Japan) compliance
3. Technical Security Controls
3.1 Infrastructure Security
| Control Area | Implementation | Provider |
| Cloud Infrastructure | Secure, scalable cloud architecture with multi-zone redundancy | AWS, Supabase |
| Network Security | VPC, security groups, WAF, DDoS protection | Cloudflare, AWS |
| Encryption | TLS 1.3 in transit, AES-256 at rest | Supabase, AWS |
| Backup & Recovery | Automated daily backups, 30-day retention | Supabase, AWS |
3.2 Application Security
Secure Development Lifecycle (SDL):
- Threat modeling during design phase
- Static and dynamic code analysis
- Third-party dependency scanning
- Secure code review requirements
- Penetration testing biannually
Authentication & Authorization:
- Multi-factor authentication (MFA) enforcement
- Role-based access control (RBAC)
- Principle of least privilege
- Session management with secure timeout
- Password policy enforcement
3.3 Data Security
Data Classification:
| Classification | Examples | Protection Level |
| Highly Sensitive | Health data, vaccination records | Maximum encryption, strict access controls |
| Sensitive | Personal information, contact details | Strong encryption, role-based access |
| Internal | Application logs, analytics data | Encryption, access logging |
Data Encryption:
- In Transit: TLS 1.2+ for all data transmissions
- At Rest: AES-256 encryption for databases and storage
- Key Management: AWS KMS with regular key rotation
- End-to-End Encryption: For sensitive health data sharing
4. Organizational Security
4.1 Employee Security
- Background Checks: Pre-employment screening for all employees
- Security Training: Annual security awareness training
- Confidentiality Agreements: Signed by all employees and contractors
- Access Reviews: Quarterly access right reviews
- Incident Response Training: Regular tabletop exercises
4.2 Security Policies
- Acceptable Use Policy: Guidelines for appropriate system use
- Data Handling Policy: Procedures for data classification and protection
- Incident Response Plan: Documented procedures for security incidents
- Business Continuity Plan: Disaster recovery and business continuity procedures
- Vendor Security Policy: Requirements for third-party vendors
5. Third-Party Security
5.1 Vendor Security Assessment
All third-party vendors undergo security assessment before integration:
| Vendor | Service | Security Certifications | Data Processing |
| Supabase | Database & Auth | SOC 2, GDPR | Subprocessor |
| Stripe | Payments | PCI DSS Level 1, SOC 2 | Payment Processor |
| Twilio | SMS | SOC 2, ISO 27001 | Subprocessor |
| Cloudflare | Security & DNS | SOC 2, ISO 27001 | Infrastructure |
| Sentry | Error Tracking | SOC 2, GDPR | Subprocessor |
5.2 Subprocessor Management
We maintain Data Processing Addendums (DPAs) with all subprocessors and regularly review their security posture.
6. Incident Response
6.1 Incident Response Plan
Our incident response plan follows the NIST framework:
- Preparation: Documented procedures and trained team
- Detection & Analysis: Monitoring and alert systems
- Containment: Immediate action to limit impact
- Eradication: Removing threat causes
- Recovery: Restoring systems and services
- Post-Incident Activity: Lessons learned and improvements
6.2 Breach Notification
In the event of a data breach, Whispie will:
- Notify affected users within 72 hours of discovery
- Cooperate with regulatory authorities as required
- Provide clear information about the breach and steps taken
- Offer credit monitoring services if appropriate
7. Security Monitoring and Testing
7.1 Continuous Monitoring
- SIEM: Security Information and Event Monitoring
- IDS/IPS: Intrusion Detection and Prevention Systems
- Vulnerability Scanning: Regular automated scanning
- Log Analysis: Centralized logging and analysis
- Threat Intelligence: Proactive threat monitoring
7.2 Security Testing
- Penetration Testing: Annual external penetration tests
- Bug Bounty Program: Responsible disclosure program
- Code Review: All code undergoes security review
- Dependency Scanning: Automated vulnerability scanning
- Security Audits: Regular internal and external audits
8. Physical and Environmental Security
8.1 Data Center Security
Whispie utilizes enterprise-grade data centers with:
- 24/7 physical security and monitoring
- Biometric access controls
- Redundant power and cooling systems
- Fire detection and suppression systems
- Environmental monitoring
8.2 Office Security
Our corporate offices implement:
- Access control systems
- Visitor management procedures
- Secure document disposal
- Clean desk policy
- Device encryption requirements
9. Business Continuity and Disaster Recovery
9.1 Business Continuity Plan
- RTO (Recovery Time Objective): 4 hours for critical systems
- RPO (Recovery Point Objective): 1 hour for critical data
- Backup Strategy: Automated daily backups with geo-redundancy
- Disaster Recovery: Documented DR procedures and regular testing
9.2 High Availability
Whispie maintains 99.9% uptime through:
- Load balancing and auto-scaling
- Multi-zone deployment
- Database replication and failover
- CDN for static content delivery
10. Security Awareness Training
10.1 Employee Training
All employees complete comprehensive security training covering:
- Data protection and privacy principles
- Phishing and social engineering awareness
- Password security and MFA
- Incident reporting procedures
- Secure development practices
10.2 Ongoing Education
- Quarterly security awareness updates
- Phishing simulation exercises
- Security newsletter and bulletins
- Annual security certification requirements
11. Policy Governance
11.1 Policy Review
This Security Policy is reviewed and updated:
- Annually as part of our security program review
- Following significant security incidents
- When new regulations or standards are introduced
- After major system or infrastructure changes
11.2 Compliance Monitoring
We continuously monitor compliance through:
- Automated compliance checking tools
- Regular internal audits
- External security assessments
- Regulatory change monitoring
12. Contact and Reporting
12.1 Security Contacts
For security-related inquiries or to report security concerns:
Security Team: [email protected]
Privacy Team: [email protected]
Abuse Reports: [email protected]
12.2 Vulnerability Reporting
We welcome responsible vulnerability disclosures. Please report security vulnerabilities to [email protected] with:
- Detailed description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Your contact information
SECURITY COMMITMENT: Whispie is committed to maintaining the highest standards of security to protect our users' sensitive information. We continuously invest in security measures and regularly update our practices to address evolving threats.