Does Wolyra hold SOC 2 or HIPAA certifications?

Wolyra is not currently SOC 2 or HIPAA certified. Engagements that require certified controls are scoped against the controls of the underlying cloud provider and an addendum documenting the responsibility split.

How do I report a vulnerability?

Email info@wolyra.ai with the subject line "Security report" and a description of the issue. Do not test against production systems beyond what is needed to demonstrate the finding. Wolyra acknowledges reports within two business days.

What is Wolyra's data retention policy?

Customer data is retained for the duration of the engagement plus the period required by US tax and contractual law (typically seven years for financial records). All other personal data is deleted within 30 days of a verified request.

Where is customer data stored?

Production systems run on US-based cloud regions by default. Region-specific hosting (EU, UK) is available on request and is documented in the engagement agreement.

Does Wolyra use third-party advertising trackers?

No. The site loads consent-gated GA4 only and uses no advertising, retargeting, or social pixel trackers. See the Cookie Notice for the complete list.

Security

Security as a posture, not a checklist.

What we secure, how we secure it, and the lines we will not cross. Written so a security team can map it to their own controls.

Threat model

What we defend against, and where the line is.

Wolyra defends against opportunistic and targeted attacks against its corporate systems, customer-shared assets, and any production environment Wolyra operates. We do not claim resistance to nation-state actors with physical access. The posture below is written down, exercised on a cadence, and assigned to named owners with observable controls.

In scope

Credential theft, supply-chain compromise, dependency vulnerabilities, application-layer attacks, social engineering of staff, infrastructure misconfiguration, accidental data exposure, and insider misuse of access.

Out of scope

Targeted physical attack on a Wolyra-controlled location, large-scale denial-of-service on infrastructure outside our control, and threat actors with lawful coercive power in jurisdictions where we have no operating presence.

Control surface

Layered defenses, named owners.

Perimeter

All public surfaces are TLS-only with HSTS preload. Internal services run inside private networks; ingress is allowed only through audited reverse proxies. WAF and rate limits are enabled on customer-facing endpoints.

Endpoint

Staff devices run full-disk encryption, mandatory screen lock, current OS, EDR with central reporting, and managed inventory. Personal devices may not access production accounts; corporate devices may not access personal cloud sync.

Identity and access

SSO for every system that supports it. Hardware security keys for any account with administrative reach. Just-in-time elevation for production access, with a written reason and an automatic expiry. Quarterly access reviews on a written cadence.

Key management

Secrets stored in a managed vault, never in source control. Application credentials rotated on a schedule and on any departure. Customer-supplied keys are stored in a customer-controlled KMS where the service contract allows.

Data classification

Customer data tagged at intake with sensitivity, retention period, and residency. Encrypted at rest with managed keys. Encrypted in transit between every service. Backups encrypted and rolled off automatically within 90 days.

Logging and monitoring

Production systems emit structured logs to a tamper-evident store. Authentication events, privileged commands, and configuration changes are alerted on. Logs retained per the customer contract and the applicable regulation.

Secure SDLC

From commit to production.

Signed commits

Engineers sign commits with hardware-backed keys. Branch protections require a passing signature check before merge.

SAST and SCA

Every pull request runs static analysis, dependency vulnerability scanning, and secrets detection. High-severity findings block merge until resolved or formally accepted.

Code review

Two-person review on production changes. Security-sensitive paths require a reviewer who has not authored the change. Reviewer accountability is recorded in the merge metadata.

Reproducible builds

Builds run on hosted runners with pinned base images. Artifacts are signed and stored in a registry with provenance attestations. Deployments verify the signature before they roll.

Incident response

What happens when something goes wrong.

Wolyra runs a written incident response process, with named owners, communication templates, and a tabletop exercise on a documented cadence. The summary below is what a customer can hold us to in the first hours of a real incident.

Detect and triage

Alerts route to an on-call engineer. Initial triage classifies severity, identifies the affected surface, and opens a written incident channel with a designated incident commander.

Contain and notify

Once severity is confirmed, containment runs in parallel with notification. Customers materially affected by a confirmed security incident are notified within 72 hours, or sooner where contract or regulation requires.

Eradicate and recover

Compromised credentials are revoked, affected systems are rebuilt from clean artifacts, and recovery is verified before the incident is closed.

Post-incident review

A blameless review documents the timeline, the root cause, the customer-facing impact, and the actions taken to prevent recurrence. The summary is shared with affected customers.

What we do not do

Lines we do not cross.

No surveillance work

We do not build systems whose primary purpose is to surveil individuals, classify people by protected characteristics, or aggregate behavioral profiles for targeting.

No spyware or stalkerware

We will not build, package, or distribute software designed to operate covertly on a device the user does not control. We will not provide engineering services to a vendor that does.

No advertising trackers

No advertising pixels, no third-party remarketing scripts, no behavioral profiling cookies on wolyra.ai. The same default carries into the production systems we build for clients.

Report a vulnerability.

Email info@wolyra.ai with the subject Security report. Acknowledged in two business days, remediation timeline shared in seven, public credit on request once the fix is shipped.

Contact Wolyra →