> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wherobots.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Security Guide
Wherobots takes the security of its platform, cloud service, and of its
customers' workloads and data seriously. Security is not just a feature.
It’s part of our engineering culture and infused into how we design and
build our software, our internal systems, and our production
environments. Wherobots is built from the ground up with the security of
your data and your workloads in mind.
Wherobots has received its SOC 2 Type 2 attestation and is fully
GDPR-ready.
Looking for our Trust Center and compliance documents? Click here!
## Definitions
**Control Plane:** Wherobots' Control Plane is managed by Wherobots and
runs within a private Wherobots network. It is a cloud-hosted system
that manages authentication, users, access to the service (user
interface and APIs). The Control Plane handles metadata management,
enterprise management, and usage monitoring. Customer data does not pass
through nor is it stored in the Control Plane.
**Compute Plane**: The Compute Plane is serverless to users, so it's
fully managed by Wherobots, and is deployed into cloud regions supported
by Wherobots. The Compute Plane hosts the workloads in a Wherobots
managed network, and it can connect to the Wherobots Data Hub,
connect privately to customer owned data sources (e.g., an Amazon Simple
Storage Service (S3) bucket), or public data sources and repositories.
**Workloads:** Workloads are the Wherobots jobs, queries, notebooks,
sessions, machine learning models, or artificial intelligence
capabilities that can run on Wherobots and interact with customer data.
## Infrastructure and network security
### Cloud providers
Wherobots compute and control planes are currently hosted on AWS. By
using AWS, Wherobots inherits all the physical and logical security and
compliance features built into AWS’s datacenters, network, and
infrastructure.
The list of our current compute plane regions is available
[here](/availability) in our documentation. If you need compute presence
close to your data in other cloud provider regions, please tell us by
filling in this form.
### Networking and encryption
The control plane and compute plane network infrastructure is managed by
Wherobots. Wherobots maintains network isolation between customer
workloads. Connectivity between a compute plane region and the control
plane is secure, private, and encrypted.
By default, Wherobots uses VPC Gateway endpoints to ensure connectivity
between the compute plane and your Amazon S3 buckets is private and
never leaves the AWS cloud network. Encryption
All network traffic, including traffic between VMs within the compute
plane1 and connections with private and public data sources, is
encrypted in transit.
Wherobots uses network attached storage with virtual machines and cloud
object storage. When data is at rest, it is always encrypted using an
encryption key provided and managed by a cloud provider (e.g. AMS KMS).
### Access control
Wherobots prioritizes the security and integrity of customer data and
security practices are integrated throughout all business operations.
* All employees and operators must use dedicated user accounts, and use
Google SSO combined and MFA everywhere available. This reduces the
risk of unauthorized access, prohibits credential sharing, limits
elevated permissions effectively, and provides traceability of access.
Only specific employees requiring data access for support purposes
have such permissions, and all access is logged.
* User permissions and access are continuously reviewed to maintain
alignment with current roles and access requirements. These reviews,
conducted both manually and through automated compliance tools,
swiftly identify and resolve any unnecessary or outdated access.
* Customers must follow robust password guidelines to ensure strong
credentials are used to log into the Wherobots Cloud platform.
Additionally, Wherobots offers SSO support via SAML, allowing
customers to utilize their existing identity providers for secure,
seamless authentication. Customers retain complete control over their
configurations.
* Wherobots uses Identity and Access Management (IAM) cross-account
roles to ensure granular, least privilege access to customer-owned
cloud resources.
### Third-party audits
Wherobots undergoes SOC 2 compliance audits yearly and has obtained its
SOC 2 Type 2 attestation.
Penetration testing is performed regularly by an independent
third-party. Any findings from the penetration testing are immediately
investigated by Wherobots’ security and engineering teams, and
remediated according to their severity. The latest penetration testing
report can be shared on request.
For more information about Wherobots' compliance posture, visit our
[Trust Center](https://trust.wherobots.com).
### Email and DNS security
Wherobots implements all currently available best practices for email
security and spoofing prevention with DMARC and DKIM. Automated emails
produced by Wherobots systems are sent via AWS SES or via Hubspot, both
of which are explicitly authorized to send emails on our behalf.
All domain name service zones for Wherobots domains are managed by AWS
Route 53, inheriting the security and auditability capabilities of AWS
services.
## Business continuity and disaster recovery
Wherobots has an established Business Continuity and Disaster Recovery
plan to ensure that both our business and our product offerings deliver
high availability and resilience to our end users.
All business data is securely stored and backed up by our service
providers. All customer data and metadata is stored in version
controlled S3 buckets with high availability and S3’s renowned extreme
durability, and backed up in a separate AWS region. Backup and recovery
procedures are frequently exercised to provide a sub-24h RTO.
Wherobots runs regular business continuity and disaster recovery
scenarios to plan for unforeseen events and test its disaster recovery
procedures. These events include but are not limited to loss of key
personnel, degradation of key infrastructure, and operational force
majeure events. The remediations for these possible events are discussed
annually.
## Corporate security
Wherobots incorporates comprehensive technical and operational
safeguards to protect your data and ensure uninterrupted service
availability. We maintain transparency in our security practices,
consistently aiming to surpass industry standards.
* All corporate devices are secured through Mobile Device Management
(MDM), ensuring compliance with our security standards. Advanced
malware and anti-virus software are deployed and regularly updated to
counter evolving threats. Full disk encryption safeguards data stored
on all corporate devices. Strong password policies and automatic
screen locks further minimize unauthorized access risks.
* Employees complete security and privacy awareness training during
onboarding and annually thereafter, ensuring adherence to current
security best practices. All employees undergo thorough background
checks.
* Our security team continuously monitors the cloud environment,
supported by real-time threat protection tools and proactive incident
response strategies. Cloud Security Posture Management (CSPM) tools
continuously track for and respond to anomalies or unusual activities.
* Physical access to Wherobots offices is strictly controlled through a
badge system, ensuring entry is limited to authorized personnel only.
## Responsible disclosure
Security researchers are encouraged to responsibly disclose
vulnerabilities and security issues to Wherobots’ security team at
[`security@wherobots.com`](mailto:security@wherobots.com) with a working
proof of concept. Wherobots does not have a bug bounty program at this
time.
1. In AWS, Wherobots uses Amazon EC2 Nitro instances that encrypt data in transit between VMs.