Security and technical and organizational measures

This page describes the technical and organizational measures maintained by Wodby to protect customer personal data and related service systems. It is intended to support customer security reviews, procurement diligence, and the security provisions of the Data Processing Agreement and Standard Contractual Clauses.

The measures described here are designed to reflect the nature of Wodby's services, including customer-owned infrastructure and Wodby-managed infrastructure offerings. Exact implementations may vary by product feature, cloud provider, deployment model, and risk profile.

• Security responsibilities are assigned to authorized personnel with operational ownership for infrastructure, platform changes, support, and incident response.
• Access to production and support tooling is limited by job role and business need, with changes reviewed and adjusted when roles change.
• New vendors, material architecture changes, and sensitive data flows are reviewed in light of security, privacy, and operational risk.
• Policies, runbooks, and technical controls are updated as services, threats, and legal requirements evolve.

• Personnel access is granted on a least-privilege and need-to-know basis.
• Administrative access is protected through account authentication controls such as strong passwords, role separation, and additional verification measures where supported.
• Customer environments, support systems, and internal tooling are logically separated according to service function and access role.
• Personnel with access to confidential or customer information are subject to confidentiality duties.

• Data transmitted over public networks is protected with TLS or comparable encryption protocols where appropriate.
• Encryption at rest is applied where supported by the relevant infrastructure, storage, or managed service component.
• Secrets such as API keys, tokens, and credentials are stored and handled through controlled systems and workflows rather than being broadly exposed to personnel.
• Cryptographic settings are reviewed and updated over time to maintain compatibility with current operational and security requirements.

• Code and configuration changes are managed through tracked workflows and version control.
• Platform and infrastructure changes are tested and rolled out through controlled deployment processes appropriate to the service component.
• Critical dependency, platform, and security updates may be applied as part of routine or emergency maintenance.
• Logging, diagnostics, and operational review are used to investigate failures, abuse, and unexpected behavior.

• Service monitoring, alerting, and diagnostic tooling are used to identify availability issues, suspicious activity, and operational anomalies.
• Vulnerabilities identified through vendor notices, package updates, customer reports, internal review, or external research are assessed and prioritized based on severity and exposure.
• Security patches, dependency upgrades, and configuration corrections are applied according to risk and operational urgency.
• Wodby may use automated and manual review techniques to assess production hardening, logging coverage, and exposed attack surface.

• Backup, import, and restore features are implemented according to the purchased service and deployment model.
• Recovery options can depend on whether the customer uses Wodby Cloud, customer-owned infrastructure, cloud-provider-managed services, or customer-configured backup destinations.
• Operational runbooks support incident handling, service restoration, and customer communication during disruptive events.
• Retention windows for backups, logs, and temporary import artifacts are limited by product design, operational need, and legal requirements.

• Suspected security incidents are triaged to confirm scope, severity, affected systems, and data exposure.
• Wodby may take urgent containment actions, including credential rotation, temporary access restrictions, infrastructure isolation, or service changes.
• Where a confirmed personal data breach affecting customer personal data occurs, Wodby notifies the relevant customer without undue delay as described in the DPA.
• Post-incident review may lead to updated controls, procedures, and monitoring.

• Vendors are selected based on operational fit and the sensitivity of the functions they perform.
• Wodby imposes contractual obligations on subprocessors and material service providers that are appropriate to the nature of their services and data access.
• Current subprocessors and provider roles are listed on the Subprocessors page.
• Customers may use the DPA objection process if they have a reasonable, documented concern about a new subprocessor.

Security questions, procurement diligence requests, and vulnerability disclosures can be sent to [email protected]. General privacy or data-processing questions can be sent to [email protected].