wits
    Security · how we protect your data

    Security
    as a default.

    Bank-grade encryption. Mobile apps locked to our servers. Strict access controls. Full audit logs. Independent security reviews planned annually. Not because we sell to enterprise — because every customer deserves it.

    The short version.

    Ten controls, in plain language. The longer version is available on request for partners under NDA.

    Area
    What it means
    Standard
    Encryption
    Customer data is encrypted at rest and in transit.
    AES-256-GCM at rest · TLS 1.3 in transit
    Network
    Mobile apps only trust our servers — fakes are blocked.
    Certificate pinning
    Access
    Only authorised people see customer data.
    Role-based access · audit logs
    Hosting
    You choose where your customers’ data lives.
    EU · US · IN · APAC regions
    Privacy
    We comply with the major privacy regulations.
    GDPR · DPDPA · CCPA aligned
    Backups
    Daily backups, tested monthly.
    30-day retention
    Audits
    Independent annual review.
    SOC 2 Type II target 2026
    Data isolation
    Customer data is logically segregated per tenant.
    Row-level + schema-level isolation
    Secrets management
    Secrets never touch source control or logs.
    KMS-backed envelope encryption
    Incident response
    A documented playbook with named roles.
    24-hour notification to affected customers

    How AI is handled.

    The AI-specific layer of our security posture. These are the controls that matter most as AI products mature.

    Your data stays yours

    We do not train foundation models on your data. We do not resell or expose it to other tenants.

    Per-tenant context

    Retrieval and embeddings are scoped per tenant. There is no cross-tenant leakage by design.

    Human-in-the-loop where it matters

    High-stakes decisions (filings, payouts, customer-facing actions) get an approval queue. The AI never acts unilaterally on irreversible work.

    Prompt injection guards

    Inputs are filtered for known injection patterns. Sensitive system prompts are not user-influenced.

    Observability

    Every AI action is logged with input, output, model version, and the human reviewer (if any).

    Off-switch

    AI features can be disabled per tenant or per feature without breaking the rest of the product.

    Reporting a vulnerability.

    If you find a security issue, please tell us before you tell anyone else. We are small enough to respond fast.

    Write to security@xwits.dev. PGP key available on request.

    We acknowledge every report within one business day. For confirmed vulnerabilities, we will share a timeline for a fix and credit you in the resolution (if you wish).

    We do not run a formal bug bounty programme yet, but we will say thank you with something appropriate when the report merits it.

    Need our security paper?

    Talk to us under NDA.

    The longer-form security and compliance documentation — including network topology, sub-processor list, and pen-test summary — is available to partners under NDA.

    Request the security papersecurity@xwits.dev