Trust & security
We build with security and privacy as defaults, not features. This page is the working summary of how we protect customer data, who we share it with, and how to reach us if something looks wrong.
Last updated: 2026-05-26
Our security program
We operate a written security program covering access control, vendor diligence, incident response, and breach notification. The program is reviewed at least quarterly. Highlights:
- Every secret has an assigned owner, a rotation cadence (90 days for most), and a documented runbook.
- Every code push runs through automated SAST (Semgrep), secret scanning (Gitleaks), and dependency-audit checks before reaching production.
- All production traffic is HTTPS-only with HSTS preload. TLS posture is reviewed weekly.
- Production data is hosted in the United States. Backups are encrypted at rest with documented key management.
- Multi-factor authentication is required on every administrative account on every vendor we use.
For deeper detail (subprocessor list, DPA on file, compliance posture by regime), use the links below or write to security@whitecapdata.com.
What we comply with today
- NY SHIELD Act — written security program, designated security lead, vendor DPAs, breach notification procedures.
- FTC Act §5 — truthful privacy practices; the privacy policy reflects actual data collection.
- PCI DSS v4 SAQ A — card payments are handled by Stripe Checkout; no card data touches our servers.
- CCPA / CPRA — California resident rights honored; data subject requests via privacy@whitecapdata.com.
- WCAG 2.2 AA — working toward conformance; report accessibility issues to the same address.
Customer-specific regimes — HIPAA, GLBA, FERPA, HECVAT, CMMC, FedRAMP, and others — are evaluated per engagement. If you operate in a regulated industry, contact us before signing and we will run a diligence pass with you.
Sub-processors
We use a small set of trusted sub-processors to deliver the service. The current list is published at whitecapdata.com/trust/sub-processors.
Material changes are reflected on that page within seven days of activation; if you need advance notice (e.g., under a DPA), email security@whitecapdata.com and we will add you to the subprocessor change notification list.
Report a vulnerability
If you believe you have found a security issue affecting any Whitecap Data service, please follow our vulnerability disclosure policy. A short summary:
- Reach us at security@whitecapdata.com with technical detail and reproduction steps.
- Test only against your own accounts and data. Do not access or alter data belonging to other customers.
- Give us a reasonable window (90 days) to remediate before public disclosure.
We aim to acknowledge reports within two business days and to give a substantive response within seven. Researchers who report in good faith will be credited on our acknowledgments page if they would like.
Machine-readable
/.well-known/security.txt— contact + policy URLs per RFC 9116. View.- Subprocessor list as JSON — coming soon.
- Public status page — coming soon.