Security & Trust

Security isn't a tier you upgrade into at WoneSuite — every customer gets the same protections by default. This page summarises how we safeguard your data. Questions, or a vendor security review? Email security@wonesuite.com.

• In transit: all traffic to WoneSuite is encrypted with TLS (HTTPS); we enforce strong ciphers and HTTP security headers.
• At rest: data is stored on encrypted volumes.
• Secrets: credentials and keys are stored separately from application data and never exposed in logs.

WoneSuite is multi-tenant by design. Every tenant's data is logically isolated and access is enforced at the data layer with row-level security, so one customer can never read or write another customer's records. Isolation is verified by an automated test gate on every change.

• Role-based permissions govern what each user can see and do inside a workspace.
• The super-admin control plane is reachable only on a private host and supports opt-in two-factor authentication (enrolled by the account owner — never forced).
• Administrative actions are written to an audit log.

• WoneSuite runs on hardened, access-controlled infrastructure with network-level restrictions; the database is not exposed to the public internet.
• We monitor for anomalous and automated (bot) traffic and rate-limit sensitive endpoints.
• We take regular backups and maintain recovery procedures so your data can be restored.

We welcome reports from security researchers. If you believe you've found a vulnerability, please email security@wonesuite.com with the details and steps to reproduce. Please give us a reasonable chance to investigate and remediate before any public disclosure, and avoid accessing or modifying data that isn't yours. We won't pursue good-faith research conducted under these guidelines.

We use a small set of vetted service providers to operate WoneSuite — see the current sub-processors list. Where you require it, we support Canadian and regional data-residency commitments for your account; contact us to discuss.

Our practices are designed to align with frameworks such as the GDPR and SOC 2 principles, and our compliance posture continues to mature. Security is shared: please use strong, unique passwords, enable two-factor authentication, manage your users' access carefully, and tell us immediately about any suspected compromise. How we handle personal data is described in our Privacy Policy.