As a user research application, we recognize the importance of excellent security practices. We work hard to adhere to best-practice security processes. This help section covers our security practices and policies.

Your data is encrypted at rest and protected by TLS in transit. Your Wondering password is hashed using bcrypt, and we manage our production secrets with AWS tools.

Our backend server is hosted on top of Amazon Web Services (AWS).

Amazon's data centre ops have been accredited under:

You can find more information about AWS security practices here.

At sign-up, all user passwords are hashed using bcrypt before being stored.

Upon logging in, users are provided an authentication token, which is generated using JSON Web Token (JWT). This is valid for 4 days. All further interaction with the application is done by providing an authorization header using this token.

As a cloud-based Software-as-a-Service provider we do not have our own physical data centres. All of our data storage is hosted via Amazon Web Services. You can see the AWS physical access policy here.

Data is frequently and regularly backed up in line with our Back-up Policy.

Users with Admin-permissions can control how long data associated with your Wondering account is retained for using the Data Retention Settings in your account. For more information about how to use this setting, see this guide.

To support subscribing to Wondering plans, we've partnered with Stripe, a PCI Service Provider Level 1 certified and well-respected payments processor. When none of your credit card data is stored by Wondering. You can learn more about Stripe's security practices here.