Security

Trust isn't a feature.
It's the architecture.

Every Winglo workspace is isolated, encrypted, regionally bound, and operationally observable. AI governance and compliance are first-class concerns.

Per-workspace data boundaries enforced at every layer of the stack.

AES-256 at rest, TLS 1.3 in transit. Customer-managed keys on Enterprise.

Choose EU or US. All inference and storage stay inside the chosen region.

Role-based access, SSO/SCIM, and exportable audit trails for every action.

AI governance

Your data does not
train any model.

Winglo works with frontier model providers under strict no-training agreements. All agent activity is logged, auditable, and revocable per workspace.

No customer data is ever used to train foundation models — contractually enforced with our model providers.
Every agent action is recorded with input, output, model identifier, timestamp, and the responsible workflow.
Workspaces can revoke any agent's access in a single action; in-flight work halts immediately.
PII redaction is applied to inputs that cross provider boundaries on regulated workspaces.
Customers can export, archive, or fully erase their workspace and all derived data on request.

Compliance & reliability

Underway. Continuous control monitoring with quarterly evidence collection.

BAAs available for Telehealth deployments. PHI never leaves regional boundaries.

EU residency, DPA, and right-to-erasure workflows built into the workspace.

Multi-region failover. Status and incident transparency at status.winglo.ai.

Annual third-party pen tests. Reports available under NDA.

Coordinated disclosure with researcher recognition and rapid triage.

We share SOC 2 reports, pen test summaries, and DPAs under NDA.