Security Policy
How we protect your data and your customers' data
Last updated: April 9, 2026 · Contact: security@wubba.ai
Encryption
Data in Transit
All traffic encrypted via TLS 1.2/1.3 with high-strength cipher suites. HTTPS enforced via HSTS (preload). Security headers include CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.
Data at Rest
All databases encrypted with AES-256 via AWS KMS managed keys. Backups and storage volumes encrypted by default.
Passwords
User passwords hashed with bcrypt (12 rounds). Raw passwords are never stored or logged.
Payment Data
Credit card processing handled entirely by Stripe (PCI DSS Level 1). No card data touches our servers.
Financial Data
Bank account connections powered by Plaid (SOC 2 Type II). Credentials are never shared with or stored by WUBBA.
Access Controls
Authentication
Email/password with bcrypt hashing, plus OAuth SSO via Google and Microsoft. Email verification required. TOTP multi-factor authentication (MFA) available for all accounts.
Role-Based Access
Three-tier RBAC model (Admin, Agency, Client) with least-privilege enforcement. API routes protected by middleware authentication.
Tenant Isolation
All data queries are filtered by tenant ID. No business can access another business's data, agents, customers, or documents.
Session Management
JWT tokens with 7-day expiry. Sessions invalidated on password change.
Rate Limiting
Adaptive rate limiting on authentication endpoints, password resets, and API operations to prevent brute force and abuse.
Infrastructure
Cloud Provider
Hosted on Amazon Web Services (AWS) us-west-2. AWS is SOC 2, ISO 27001, and HIPAA eligible.
Network Security
VPC with private subnets for databases. Security groups restrict access by port and source. RDS not publicly accessible.
Server Hardening
Minimal container images, non-root execution, SSH key-only access, no password authentication.
AWS Account Security
Root account protected with hardware MFA. IAM service accounts use programmatic access keys with scoped permissions.
Email Security
SPF, DKIM, and DMARC records configured to prevent email spoofing. Transactional emails sent via verified AWS SES. CORS restricted to approved origins only.
Data Privacy & Retention
Privacy Policy
Published at /privacy. Covers data collection, usage, third-party services, and user rights including access, deletion, and portability.
Consent
Explicit consent obtained during registration and on all intake forms. Privacy policy linked from all public-facing forms.
Data Retention
Active account data retained while account is active. Deleted data purged within 30 days. Automated database backups retained for 30 days.
Data Deletion
Users can request full account and data deletion via security@wubba.ai. Customer records deletable by authorized agency users. Cascading deletes ensure no orphaned data.
Audit Logging
User actions logged with timestamps, IP addresses, and resource identifiers. Audit logs retained for 1 year.
Vulnerability Management & Incident Response
Dependency Scanning
Automated vulnerability scanning on every build via npm audit. Critical vulnerabilities patched within 24 hours.
Secure Development
Parameterized queries via Prisma ORM (SQL injection prevention). Input validation with Zod schemas. CSRF protection via NextAuth.
Incident Response
Documented incident response procedure: detect, contain, investigate, remediate, notify. Affected users notified within 72 hours of confirmed breach.
Responsible Disclosure
Security researchers can report vulnerabilities to security@wubba.ai. We commit to acknowledging reports within 48 hours.
Questions about our security practices?
Contact our security team at security@wubba.ai