Skip to main content
All CollectionsSecurityProduct security
Application security overview
Application security overview
Updated over 8 months ago

As a user research application, we recognize the importance of excellent security practices. We work hard to adhere to best-practice security processes. This help section covers our security practices and policies.

Data encryption

Your data is encrypted at rest and protected by TLS in transit. Your Wondering password is hashed using bcrypt, and we manage our production secrets with AWS tools.

Hosting

Our backend server is hosted on top of Amazon Web Services (AWS).

Amazon's data centre ops have been accredited under:

  • PCI Level 1

  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)

  • ISO 27001

  • FISMA Moderate

  • Sarbanes-Oxley (SOX)

You can find more information about AWS security practices here.

Passwords and authentication

At sign-up, all user passwords are hashed using bcrypt before being stored.

Upon logging in, users are provided an authentication token, which is generated using JSON Web Token (JWT). This is valid for 4 days. All further interaction with the application is done by providing an authorization header using this token.

Physical security

As a cloud-based Software-as-a-Service provider we do not have our own physical data centres. All of our data storage is hosted via Amazon Web Services. You can see the AWS physical access policy here.

Data retention and backups

Data is frequently and regularly backed up in line with our Back-up Policy.

Users with Admin-permissions can control how long data associated with your Wondering account is retained for using the Data Retention Settings in your account. For more information about how to use this setting, see this guide.

Payment information security

To support subscribing to Wondering plans, we've partnered with Stripe, a PCI Service Provider Level 1 certified and well-respected payments processor. When none of your credit card data is stored by Wondering. You can learn more about Stripe's security practices here.

Did this answer your question?