Trust & security

We build with security and privacy as defaults, not features. This page is the working summary of how we protect customer data, who we share it with, and how to reach us if something looks wrong.

Last updated: 2026-05-26

Our security program

We operate a written security program covering access control, vendor diligence, incident response, and breach notification. The program is reviewed at least quarterly. Highlights:

For deeper detail (subprocessor list, DPA on file, compliance posture by regime), use the links below or write to security@whitecapdata.com.

What we comply with today

Customer-specific regimes — HIPAA, GLBA, FERPA, HECVAT, CMMC, FedRAMP, and others — are evaluated per engagement. If you operate in a regulated industry, contact us before signing and we will run a diligence pass with you.

Sub-processors

We use a small set of trusted sub-processors to deliver the service. The current list is published at whitecapdata.com/trust/sub-processors.

Material changes are reflected on that page within seven days of activation; if you need advance notice (e.g., under a DPA), email security@whitecapdata.com and we will add you to the subprocessor change notification list.

Report a vulnerability

If you believe you have found a security issue affecting any Whitecap Data service, please follow our vulnerability disclosure policy. A short summary:

We aim to acknowledge reports within two business days and to give a substantive response within seven. Researchers who report in good faith will be credited on our acknowledgments page if they would like.

Machine-readable