Your customer data is the most valuable thing you've got. We treat it that way — every layer, every day.
AES‑256 at rest. TLS 1.3 in transit. Tenant API keys and access tokens encrypted with a per‑install key.
Bcrypt-hashed passwords, session cookies hardened with HttpOnly + SameSite, and session regeneration on login.
Every state-changing request requires a per-session CSRF token. Forged requests are rejected at the door.
Every admin action, every login, every privileged change is logged with actor, timestamp and IP — exportable for your audits.
Every database query uses prepared statements. SQL injection is structurally impossible.
Every query is scoped by tenant. You can't accidentally — or intentionally — see another customer's data.
No move-fast-and-break-things. Defaults are safe, changes are reviewed, mistakes are documented.
Every change is reviewed before it ships. Production secrets live in encrypted environment variables, never in code. Deployments are logged and reversible.
Encrypted database backups every 6 hours, retained 30 days. Tested restore procedure documented. RPO 6 hours, RTO 4 hours.
Every sub-processor is vetted, contractually bound, and listed publicly in our Privacy Policy. We add new ones with 30 days' notice.
Found a security issue? Email security@whatareply.com. We acknowledge within 24 hours and will keep you updated until it's fixed. Responsible disclosure is welcomed and rewarded.
Need our security questionnaire (CAIQ, SIG Lite) or a SOC report once issued? Email security@whatareply.com.
We respond to every security-related email within one business day — usually faster.