Skip to content

Security policy

How we protect your data, your accounts, and our infrastructure, and what we expect from you.

1. Introduction

At Website Wannabe, we prioritize security to protect our customers' data, websites and accounts, our company servers and related company infrastructure. This Security Policy incorporates compliance with key regulatory frameworks and industry best practices, while emphasizing support team protocols and server security.

2. Regulatory Compliance

Other Regulations:

We adhere to applicable data privacy laws in regions where we operate, and HIPAA (Health Insurance Portability and Accountability Act) for applicable services.

3. Support Team Security Protocols

Access Control and Training:

  • Website Wannabe team access to various infrastructure is granted on a need-to-know basis and regularly reviewed.
  • Support team members receive training on cybersecurity threats and best practices.

Identity Verification:

Support tickets involving sensitive changes require multifactor authentication for confirmation and written notice to execute.

Incident Management:

All security incidents are logged, investigated, and reported to relevant authorities or affected parties as required.

4. Platform Security Measures

Infrastructure:

Our platform runs on managed cloud infrastructure (Netlify for the customer-facing web tier, Railway for background services, Supabase for the Postgres database) in United States regions. Each provider operates under SOC 2 Type II controls.

Encryption:

  • All connections to our applications and to upstream APIs (including Google) use TLS 1.2 or higher.
  • Google OAuth access and refresh tokens, third-party API credentials, and other sensitive secrets are encrypted at rest in our database.
  • Backups are encrypted in transit and at rest.

Tenant isolation:

Customer data is logically isolated by tenant and protected by Postgres row-level security policies so one customer cannot read another customer's data, including connected Google service data.

Access controls:

  • Production database access is restricted to a small number of operations staff and requires multi-factor authentication.
  • Every staff action that touches a customer record is recorded in an immutable action log.
  • OAuth client secrets and service-account keys are rotated when staff with access leave the company and on a routine schedule.

Monitoring:

  • Application errors and security-relevant events are captured by Sentry with sensitive payloads scrubbed before transmission.
  • Database, API, and edge-function logs are retained and reviewed for anomalous patterns.

Data retention and disposal:

See our Backup and Data Retention Policy for retention windows and deletion timelines. Customers can request deletion of all data at any time at support@websitewannabe.com.

Incident response:

Suspected unauthorized access triggers an internal investigation, token revocation for affected accounts, notification to affected customers, and (where applicable) disclosure to Google within the timeframes required by Google's policies. See our Data Breach Response Policy for the full procedure.

5. Customer Security Expectations

Shared Responsibility Model:

  • While Website Wannabe ensures server and infrastructure security, customers are responsible for securing their applications, accounts, website and content.
  • Customers are responsible for providing immediate notice to Website Wannabe with any compromised accounts that are connected or expected to be connected to our servers.
  • Website Wannabe users are required on every account to maintain the security protocols and removing or attempting to remove any Website Wannabe user is prohibited.
  • Any customer who has been compromised via a fishing or malware attack is required to have at least one team member take our annual cyber security training.

Recommended Practices:

  • Use strong passwords and enable multi-factor authentication (MFA).
  • Avoid uploading or hosting sensitive data unless proper encryption and access controls are in place.

6. Policy Updates

Continuous Improvement:

  • Website Wannabe continuously reviews and updates this Security Policy to adapt to evolving security threats and regulatory requirements.
  • Policy updates will be communicated via email and published on our website.

Customer Notifications:

Any changes impacting customer responsibilities will be clearly communicated with no notice.

7. Contact Information

For questions about this policy or to report a security issue:

Ready to get your business growing?

Tell us what you have in mind. We will tell you exactly how we would build it, with a real plan and a real price. Most projects go live within 7 business days.

Prefer to talk it through? Call (267) 500-2928

Terms Policies And Notices Security Policy | Website Wannabe