Last updated: May 21, 2026
Security
1. Our Security Commitment
Security is foundational to Wingman. Sales calls contain sensitive competitive and business information, and we treat that data with the highest level of care. This page describes the technical and organisational measures we have in place to protect your data.
If you have any security concerns, please contact us immediately at security@thewingman.io.
2. Data Encryption
All data is encrypted both in transit and at rest:
- In transit: All communications between your browser, our servers, and third-party providers are encrypted using TLS 1.2 or higher
- At rest: All data stored in our database is encrypted using AES-256 encryption
- Key management: Encryption keys are managed and rotated by our infrastructure providers
3. Authentication
Access to Wingman accounts is secured through industry-standard authentication protocols:
- OAuth 2.0: Authentication is handled via Auth0 (Okta), supporting Google SSO and email/password login
- JWT tokens: All API routes verify JSON Web Tokens on every request
- Session management: Tokens expire automatically and are invalidated on logout
- MFA: Multi-factor authentication is available and recommended for all accounts
4. Infrastructure
Wingman runs on modern, hardened cloud infrastructure:
- Backend: Hosted on Railway running Node.js 20 in isolated containers
- Database: Supabase (PostgreSQL) with Row Level Security (RLS) enforced at the database layer
- Frontend: Served from Vercel's global edge network with automatic HTTPS
- Network: All internal services communicate over private networks; no unnecessary public exposure
5. Call Data
We take a privacy-first approach to call data:
- Audio is NOT recorded or stored — audio streams are processed in real time and immediately discarded
- Text transcripts only: Only the text output from our transcription provider is retained
- Automatic deletion: Transcripts are automatically deleted after 90 days
- Buyer audio: No audio from call participants ever touches Wingman's servers — transcription happens at the provider level (Deepgram)
- Isolation: Each customer's data is logically isolated using Row Level Security
6. Payment Security
All payments are processed with the highest level of security:
- Stripe: Payments are processed exclusively by Stripe, which is certified PCI DSS Level 1 — the highest level of certification in the payments industry
- No card data stored: Wingman never stores, transmits, or logs credit card numbers or CVV codes
- Tokenisation: Stripe provides tokens that represent payment methods; these tokens cannot be reversed to obtain card details
7. Access Controls
We enforce strict access controls across the entire stack:
- Role-based access control (RBAC): Users can only access data belonging to their organisation
- API rate limiting: All API endpoints are rate-limited to prevent abuse and brute-force attacks
- CORS: Cross-Origin Resource Sharing is restricted to authorised Wingman domains only
- Least privilege: Internal services are granted only the minimum permissions required to function
8. Vulnerability Reporting
We take security reports seriously and respond promptly. If you discover a potential security vulnerability in Wingman, please report it to us responsibly:
- Email: security@thewingman.io
- Response time: We acknowledge all reports within 24 hours
- Disclosure: Please allow us reasonable time to investigate and remediate before public disclosure
We do not pursue legal action against researchers who act in good faith under this policy.
9. SOC 2 Compliance
We are committed to achieving and maintaining industry-recognised security certifications.
- SOC 2 Type I: Audit currently in progress
- Expected completion: Q4 2026
- Scope: Security, Availability, and Confidentiality trust service criteria
Enterprise customers requiring security questionnaires or custom DPAs should contact security@thewingman.io.
10. Contact
For all security-related enquiries, vulnerability reports, or enterprise security reviews:
security@thewingman.io
Wingman Technologies Inc.
British Columbia, Canada