Security

Security at Wisegrid

Wisegrid is built by a small team that takes the security of your data seriously. And we'd rather tell you exactly what we do than wave a banner. This page describes our current security practices and our roadmap. If you're an enterprise evaluating us, we're happy to complete your security questionnaire: email ryan@wisegrid.co.

Infrastructure & data

  • Hosted on managed cloud infrastructure, with all customer data stored in the United States. Our infrastructure providers are listed below.
  • Customer data is logically isolated per account; access scoping is enforced in the application layer.
  • The application runs as an unprivileged service account (not root), bound to loopback behind a reverse proxy.

Encryption

  • In transit: all traffic is encrypted with TLS (Let's Encrypt); HTTP redirects to HTTPS.

Authentication

  • Sign in with Google or Microsoft (OAuth). We don't store passwords for social login. Email + password sign-up is also available.
  • Payment data is handled entirely by Stripe (PCI-DSS Level 1); Wisegrid never stores card numbers.

Data handling & retention

  • We store: account/profile data (via your OAuth provider), your sheet/grid content, file attachments, and billing metadata.

Availability & backups

  • The production database is backed up automatically every night to encrypted, offsite object storage, with roughly 30 days of retention.
  • Backups are restore-tested: we exercise a full restore from a snapshot so a backup is something we can actually recover from, not just a file we hope works.
  • File attachments are kept in dedicated object storage and served only through short-lived signed links, never public URLs, so access expires rather than living on an open, shareable address.

Subprocessors

We use a small set of trusted infrastructure providers to run Wisegrid. Listing them is part of being transparent about how your data is handled.

SubprocessorPurpose
DigitalOceanManaged database hosting
OVHApplication hosting
CloudflareFile storage (R2), DNS, CDN/TLS
StripePayment processing
Google / MicrosoftOAuth sign-in
Mailgun / ResendTransactional email
SentryError monitoring

Responsible disclosure

See the Vulnerability Disclosure Policy below. Report security issues to ryan@wisegrid.co. Our machine-readable contact is published at wisegrid.co/.well-known/security.txt.

Compliance roadmap

We are not SOC 2 certified yet, and we won't claim to be. We've architected for it (least-privilege access, encryption in transit, change management through code review) so that pursuing SOC 2 Type 1 (Security criteria) is an evidence-collection exercise rather than a re-architecture. We'll begin that process as we move into the enterprise market. If your procurement process requires SOC 2 today, we're glad to discuss timelines directly.

Vulnerability Disclosure Policy

Reporting a vulnerability

If you believe you've found a security vulnerability in Wisegrid, please email ryan@wisegrid.co with:

  • A description of the issue and its potential impact
  • Steps to reproduce (proof-of-concept, affected URL/endpoint)
  • Your name/handle if you'd like to be credited

Our commitment

  • We'll acknowledge your report within 3 business days.
  • We'll keep you updated as we investigate and work to remediate.
  • We won't pursue legal action against researchers who act in good faith under this policy.

Safe harbor

Activity conducted in a manner consistent with this policy is considered authorized, and we will not initiate legal action against you. If a third party initiates legal action and you complied with this policy, we'll make it known that your actions were authorized.

Scope & rules of engagement

  • In scope: wisegrid.co and the Wisegrid application.
  • Out of scope: denial-of-service (DoS/DDoS), social engineering, physical attacks, spam, and reports from automated scanners without a demonstrated, reproducible impact.
  • Do not access, modify, or delete other users' data. Use only test accounts you control.
  • Do not publicly disclose the issue until we've had a reasonable chance to remediate.

Rewards

We do not currently run a paid bug-bounty program, but we genuinely appreciate good-faith reports and will credit researchers (with permission) on this page.