Security

Quiet operation.
Rigorous infrastructure.

Winglo runs continuously with access to your business data. That access is earned through architecture built for isolation, encryption, and governance — not bolted on after the fact.

Infrastructure principles
01 · Workspace isolation

Each workspace, its own world.

Per-workspace data boundaries enforced at every layer — database, application, and inference. No cross-workspace access by architecture.

Runtime isolation log
08:42:17INFOtenant:acme-corpisolated
08:42:17INFOdb.partition:wsp_4a2bbound
08:42:18INFOinference.ctxscoped
08:42:18OKcross-workspace accessDENIED
08:42:19INFOagent.run:mkt_weeklylaunched
08:42:19INFOmemory.readworkspace-scoped
02 · Encryption

Encrypted. Always.

Not configurable because it is not optional.

at-restAES-256
in-transitTLS 1.3
keysCustomer-managed†
† Enterprise plans
03 · Regional residency

Your region, strictly.

All customer data is hosted in the EU. No data leaves the EU without explicit instruction.

EU — Irelandlive
US — Virginiaroadmap
04 · Audit trail

Full provenance.

Every agent action logged: input, output, model, timestamp, workflow.

Exportable via API
Tamper-evident storage
Workspace-level audit view
05 · Access control

Granular, revocable.

RBAC. SSO on Enterprise. Revoke any agent in one action.

RBACSSOMFAToken scopingInstant revoke
AI governance

Your data doesn't train anything.

Winglo works with frontier model providers under strict no-training agreements. Every agent action is logged with full provenance — auditable, exportable, and revocable at the workspace level.

  • Your data never trains a model — contractually enforced with every model provider Winglo works with.
  • Every agent action is recorded with input, output, model identifier, timestamp, and the responsible workflow.
  • Workspaces can revoke any agent's access in a single action. In-flight work halts immediately.
  • PII redaction is available for regulated workspace configurations.
  • You can export, archive, or fully erase your workspace and all derived data at any time.
Compliance & reliability

Operational maturity, by design.

We publish our compliance posture honestly — distinguishing what's live, underway, and on the roadmap.

Encryption & isolation

Live

AES-256 at rest, TLS 1.3 in transit, per-tenant isolation at every stack layer — live since day one.

Audit logs

Live

Every agent action logged with full provenance. Available in the workspace and exportable via API.

GDPR alignment

Live

EU residency option, DPA available, data subject rights workflows built into the workspace.

SOC 2 Type II

Roadmap

Planned. Formal audit process not yet initiated. Controls and evidence collection will begin ahead of GA.

HIPAA

Roadmap

Not currently supported. BAA capability and HIPAA-compliant infrastructure are on the product roadmap.

Penetration testing

Roadmap

Planned third-party pen test prior to general availability. Reports available under NDA on completion.

Security documentation

Need the security docs?

We share architecture overviews, security documentation, and DPAs under NDA. Enterprise teams get a named security contact.

Architecture overviews, security documentation, and data processing agreements available under NDA.