Infrastructure & data
- Hosted on managed cloud infrastructure, with all customer data stored in the United States. Our infrastructure providers are listed below.
- Customer data is logically isolated per account; access scoping is enforced in the application layer.
- The application runs as an unprivileged service account (not root), bound to loopback behind a reverse proxy.
Encryption
- In transit: all traffic is encrypted with TLS (Let's Encrypt); HTTP redirects to HTTPS.
Authentication
- Sign in with Google or Microsoft (OAuth). We don't store passwords for social login. Email + password sign-up is also available.
- Payment data is handled entirely by Stripe (PCI-DSS Level 1); Wisegrid never stores card numbers.
Data handling & retention
- We store: account/profile data (via your OAuth provider), your sheet/grid content, file attachments, and billing metadata.
Availability & backups
- The production database is backed up automatically every night to encrypted, offsite object storage, with roughly 30 days of retention.
- Backups are restore-tested: we exercise a full restore from a snapshot so a backup is something we can actually recover from, not just a file we hope works.
- File attachments are kept in dedicated object storage and served only through short-lived signed links, never public URLs, so access expires rather than living on an open, shareable address.
Subprocessors
We use a small set of trusted infrastructure providers to run Wisegrid. Listing them is part of being transparent about how your data is handled.
| Subprocessor | Purpose |
|---|
| DigitalOcean | Managed database hosting |
| OVH | Application hosting |
| Cloudflare | File storage (R2), DNS, CDN/TLS |
| Stripe | Payment processing |
| Google / Microsoft | OAuth sign-in |
| Mailgun / Resend | Transactional email |
| Sentry | Error monitoring |
Responsible disclosure
See the Vulnerability Disclosure Policy below. Report security issues to ryan@wisegrid.co. Our machine-readable contact is published at wisegrid.co/.well-known/security.txt.
Compliance roadmap
We are not SOC 2 certified yet, and we won't claim to be. We've architected for it (least-privilege access, encryption in transit, change management through code review) so that pursuing SOC 2 Type 1 (Security criteria) is an evidence-collection exercise rather than a re-architecture. We'll begin that process as we move into the enterprise market. If your procurement process requires SOC 2 today, we're glad to discuss timelines directly.
Vulnerability Disclosure Policy
Reporting a vulnerability
If you believe you've found a security vulnerability in Wisegrid, please email ryan@wisegrid.co with:
- A description of the issue and its potential impact
- Steps to reproduce (proof-of-concept, affected URL/endpoint)
- Your name/handle if you'd like to be credited
Our commitment
- We'll acknowledge your report within 3 business days.
- We'll keep you updated as we investigate and work to remediate.
- We won't pursue legal action against researchers who act in good faith under this policy.
Safe harbor
Activity conducted in a manner consistent with this policy is considered authorized, and we will not initiate legal action against you. If a third party initiates legal action and you complied with this policy, we'll make it known that your actions were authorized.
Scope & rules of engagement
- In scope: wisegrid.co and the Wisegrid application.
- Out of scope: denial-of-service (DoS/DDoS), social engineering, physical attacks, spam, and reports from automated scanners without a demonstrated, reproducible impact.
- Do not access, modify, or delete other users' data. Use only test accounts you control.
- Do not publicly disclose the issue until we've had a reasonable chance to remediate.
Rewards
We do not currently run a paid bug-bounty program, but we genuinely appreciate good-faith reports and will credit researchers (with permission) on this page.