Trust
Security & Trust
WikiSure is built for regulated enterprises. This page describes — in plain language — where your data lives, how it's protected, and what we will and won't do with it.
EU hosting
Application and database run in the European Union on Lovable Cloud infrastructure (Supabase / AWS Frankfurt). Customer data does not leave the EU region unless you explicitly enable a cross-region integration.
Encryption
All traffic is encrypted in transit with TLS 1.2+. Data at rest in the database and in object storage is encrypted with AES-256. Backups inherit the same encryption.
Row-level security
Every multi-tenant table enforces Postgres Row-Level Security. A signed-in user can only read or write rows belonging to their tenant. Service-role access is restricted to server-side functions; it never reaches the browser.
Authentication
Email/password and Google SSO out of the box. SAML SSO is available for pilot onboarding and enterprise configuration — contact us to enable SAML SSO. Sessions are stored in httpOnly cookies and short-lived JWTs. Password reset uses signed, single-use links.
What happens to uploaded documents
Uploaded documents are processed to extract concepts and definitions, then stored only for as long as you need them. You can delete a document, its derived findings, or only its extracted concepts at any time via Data Controls. Deletion is hard delete — not soft delete.
Data retention
Customer data is retained for the duration of your subscription. On termination, we delete tenant data within 30 days unless you request a shorter window. Audit logs are retained for 12 months for security investigations.
Data ownership
You own your data. We do not train shared AI models on customer documents or definitions. Aggregated, anonymized usage metrics may be used to improve the product.
DPA & sub-processors
A Data Processing Agreement (GDPR Art. 28) is available — see /legal/dpa. The current sub-processor list is public and versioned.
Security evidence — current status
We publish the truth, not the marketing version. Implemented, planned and not-yet-initiated controls are all shown.
- Encryption (TLS 1.2+ in transit, AES-256 at rest) Implemented
- Data Processing Agreement (DPA) available Implemented
- Audit logging of governance and admin events Implemented
- EU hosting (Frankfurt) Implemented
- Self-serve document, findings and concepts deletion Implemented
- SAML SSO — pilot configuration on request Pilot configuration
- Third-party penetration testing Planned
- SOC 2 Type I / Type II — not yet initiated Not yet initiated
- ISO 27001 certification — not yet initiated Not yet initiated
Updated on every release. Where evidence exists (audit log samples, encryption settings), it can be shared under NDA during pilot conversations.
Reporting a vulnerability
Found something? Email security@wikisure.org with reproduction steps. We acknowledge within 2 business days.