It’s a given these days that organizations must ensure their sensitive information is protected against breaches. And we believe providing them with proof that their data is secure is equally important, which is why we’re proud to have recently completed our SOC 2 Type I audit.
There’s nothing more important to us than providing secure and protected systems. Our customers and partners trust us with their most sensitive data, and we know that security and privacy are top-of-mind for all organizations.
Being a SOC 2 Organization is a demonstration of how everything we do takes security and privacy into consideration, and is proof we comply with Canada’s PIPEDA privacy framework and follow best practices relating to security and privacy.
Our holistic security and privacy stance is built around three fundamental principles:
Confidentiality – all systems and data must be protected from unauthorized access: this includes outside actors and internal staff without a legitimate need.
Integrity – all systems and data must be protected from unauthorized modification or deletion.
Availability – all systems and data must be available to the appropriate users when they require access.
Security is Everyone’s Responsibility
Wysdom considers security and privacy at every level and with every tool, system, and process we use. Security is everyone’s responsibility at Wysdom: we bake security into our designs and processes, train every staff member in security awareness, and undergo regular audits and tests to ensure our systems are secure and compliant.
Wysdom and SOC 2
Wysdom is a SOC 2 Organization, meaning we’re audited at least annually and certified to comply with the AICPA’s Service Organization Controls and Standards.
SOC (System and Organization Controls) are strict standards designed to help measure how well we manage systems. A SOC 2 report provides our customers with the confidence that Wysdom has appropriate safeguards and procedures in place to protect their data.
Wysdom has been independently examined by third party auditors and our resulting report ensures our systems have extensive controls around Security, Availability, Confidentiality, and Privacy.
For customers looking for the details of our SOC 2 report, please contact us.
Wysdom and Zero Trust Architecture
Wysdom follows a Zero Trust model for security: we employ perimeter protection and segmentation, “never trust, always verify” access; require multiple authentication factors based on context; and employ granular controls based on least-privilege and extensive logging and alerting.
There are strict procedures in place regarding staffing: all roles are vetted by management, all candidates are matched to appropriate job functions, and all staff undergo background testing. Wysdom employees sign NDAs as well as acknowledging and agreeing to follow the appropriate policies and procedures for their roles on hire and at least annually.
Access Control and Separation of Duties
Access to Wysdom’s systems is tightly controlled according to the principle of least privilege. Only specific, vetted staff are granted access to our systems, and only when required to perform their job function. Access requires multiple authentication factors, is encrypted, and can be controlled based on various contexts (location, device etc.).
Staff access is strictly segregated by duty to ensure those with sensitive systems access do not have access to the corresponding code running those systems.
Our development, staging, and production environments are also strictly segregated from each other and user access to these systems separated.
Access is regularly audited to prevent access or scope creep, and to ensure that only current staff with appropriate permissions can access the minimal set of systems required for their job.
Security Awareness Training
All Wysdom staff are required to undergo security training on starting with us and every year they are with the company.
Independent Security Auditing and Testing
In addition to our extensive SOC 2 controls, Wysdom systems undergo regular internal and independent 3rd party vulnerability and penetration testing, with procedures in place to mitigate issues.
Datacenter and Hosting Partners
We use only Tier-4 datacenter hosting providers that have also undergone independent audits for security and compliance. Our team reviews these reports to ensure there are no security, privacy, or compliance concerns.
Wysdom has a Vendor Management Program that ensures all vendors meet the appropriate security controls when interacting with any of our tools, systems, or processes.
All data in transit and at rest is encrypted using the strongest available encryption standards: whether it’s an API framework or a chat with an end-user, encryption is used everywhere to secure and protect data.
Data can reside in any localle required by our customers for compliance or legal reasons.
Privacy and Compliance
Wysdom is compliant with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s Privacy Law.
Confidentiality, Integrity, and Availability
Wysdom minimizes the data we collect; we strip Personally Identifiable Information (PII), and we encrypt all data in transit and at rest using the strongest encryption available. All data is kept confidential, and we have processes in place to monitor and manage data integrity, privacy, access, and retention. Our platform is designed to support local, regional, global, and intra-platform redundancy, so localized failures do not affect customer experiences or impact performance or access.
Wysdom has an internal Staff Security Reporting program, and actively incentivizes staff, users, and others to report any possible security issues.