Security, Privacy, and Compliance

Infrastructure and network security

Cloud providers

Wherobots compute and control planes are currently hosted on AWS. By using AWS, Wherobots inherits all the physical and logical security and compliance features built into AWS’s datacenters, network, and infrastructure.

The list of our current compute plane regions is available in our documentation. If you need compute presence close to your data in other cloud provider regions, please tell us by filling in this form.

Networking

The control plane and compute plane network infrastructure is managed by Wherobots. Wherobots maintains network isolation between customer workloads. Connectivity between a compute plane region and the control plane is secure, private, and encrypted.

By default, Wherobots uses VPC Gateway endpoints to ensure connectivity between the compute plane and your Amazon S3 buckets is private and never leaves the AWS cloud network.

Encryption

All network traffic, including traffic between VMs within the compute plane¹ and connections with private and public data sources, is encrypted in transit.

Wherobots uses network attached storage with virtual machines and cloud object storage. When data is at rest, it is always encrypted using an encryption key provided and managed by a cloud provider (e.g. AMS KMS).

Access control

Wherobots prioritizes the security and integrity of customer data and security practices are integrated throughout all business operations.

• All employees and operators must use dedicated user accounts, and use Google SSO combined and MFA everywhere available. This reduces the risk of unauthorized access, prohibits credential sharing, limits elevated permissions effectively, and provides traceability of access. Only specific employees requiring data access for support purposes have such permissions, and all access is logged.
• User permissions and access are continuously reviewed to maintain alignment with current roles and access requirements. These reviews, conducted both manually and through automated compliance tools, swiftly identify and resolve any unnecessary or outdated access.
• Customers must follow robust password guidelines to ensure strong credentials are used to log into the Wherobots Cloud platform. Additionally, Wherobots offers SSO support via SAML, allowing customers to utilize their existing identity providers for secure, seamless authentication. Customers retain complete control over their configurations.
• Wherobots uses Identity and Access Management (IAM) cross-account roles to ensure granular, least privilege access to customer-owned cloud resources.

Third-party audits

Wherobots undergoes SOC 2 compliance audits and has obtained its SOC 2 Type 2 attestation.

Penetration testing is performed regularly by an independent third-party. Any findings from the penetration testing are immediately investigated by Wherobots’ security and engineering teams, and remediated according to their severity. The latest penetration testing report can be shared on request.

Email and DNS security

Wherobots implements all currently available best practices for email security and spoofing prevention with DMARC and DKIM. Automated emails produced by Wherobots systems are sent via AWS SES or via Hubspot, both of which are explicitly authorized to send emails on our behalf.

All domain name service zones for Wherobots domains are managed by AWS Route 53, inheriting the security and auditability capabilities of AWS services.

Business continuity and disaster recovery

Wherobots has an established Business Continuity and Disaster Recovery plan to ensure that both our business and our product offerings deliver high availability and resilience to our end users.

All business data is securely stored and backed up by our service providers. All customer data and metadata is stored in version controlled S3 buckets with high availability and S3’s renowned extreme durability, and backed up in a separate AWS region. Backup and recovery procedures are frequently exercised to provide a sub-24h RTO.

Wherobots runs regular business continuity and disaster recovery scenarios to plan for unforeseen events and test its disaster recovery procedures. These events include but are not limited to loss of key personnel, degradation of key infrastructure, and operational force majeure events. The remediations for these possible events are discussed annually.

Corporate security

Wherobots incorporates comprehensive technical and operational safeguards to protect your data and ensure uninterrupted service availability. We maintain transparency in our security practices, consistently aiming to surpass industry standards.

• All corporate devices are secured through Mobile Device Management (MDM), ensuring compliance with our security standards. Advanced malware and anti-virus software are deployed and regularly updated to counter evolving threats. Full disk encryption safeguards data stored on all corporate devices. Strong password policies and automatic screen locks further minimize unauthorized access risks.
• Employees complete security and privacy awareness training during onboarding and annually thereafter, ensuring adherence to current security best practices. All employees undergo thorough background checks.
• Our security team continuously monitors the cloud environment, supported by real-time threat protection tools and proactive incident response strategies. Cloud Security Posture Management (CSPM) tools continuously track for and respond to anomalies or unusual activities.
• Physical access to Wherobots offices is strictly controlled through a badge system, ensuring entry is limited to authorized personnel only.

Responsible disclosure

Security researchers are encouraged to responsibly disclose vulnerabilities and security issues to Wherobots’ security team at [email protected] with a working proof of concept. Wherobots does not have a bug bounty program at this time.

¹ In AWS, Wherobots uses Amazon EC2 Nitro instances that encrypt data in transit between VMs