Security at winecall

All production infrastructure runs in the European Union (Germany). No user data leaves the European Economic Area for core operations.

• Compute: dedicated EU servers, no shared tenancy with other winecall customers on the database layer.
• Object storage: S3-compatible EU object storage with versioning enabled for recovery.
• Network: TLS 1.3 with HTTP/2, auto-renewed certificates.
• Backups: encrypted database snapshots daily, 30-day retention. Off-site replication on the roadmap.

• Authentication: email + password. Passwords bcrypt-hashed with industry-standard cost factor, min 8 characters, never logged.
• Authorization: row-level access controls enforced at the database layer, verified monthly. Service-role keys never exposed to clients.
• Rate limiting: per-IP rate limits on upload, signup, and share-password endpoints.
• CORS: we restrict Access-Control-Allow-Origin to https://winecall.app. No wildcard.
• Security headers: HSTS (2-year preload), X-Content-Type-Options, X-Frame-Options SAMEORIGIN, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy.
• SQL injection: all queries via parameterised Supabase client. No raw SQL in application code.
• XSS: React auto-escaping, no dangerouslySetInnerHTML on user input.
• CSRF: cookie-based auth with SameSite protection; state-changing endpoints require authenticated session.

• What we store: account data (email, name, hashed password, org name), uploaded media (S3), comments, stream usage counters. Full list in the Privacy Policy.
• What we do not store: full credit-card data (Stripe handles it), content you never uploaded, any data beyond what the service needs.
• AI training: we do not use your content, comments, or any user data to train machine-learning models. We do not share data with third parties for training purposes.
• Retention: account data kept until deletion, free-tier files auto-purged after 14 days, backups rolling 30 days, invoices kept 10 years (Swiss legal obligation).
• Export: any user can request their data in machine-readable form via privacy@winecall.app. Response within 30 days.
• Deletion: same contact, same SLA. Cascade-deletes org, members, rooms, comments, files.

We rely on a small set of EU-based subprocessors for hosting, payment processing, and transactional email delivery. All have signed Data Processing Agreements (Art. 28 GDPR) and operate within the European Economic Area.

The current list of named subprocessors, with their roles and DPA references, is available upon request: write to privacy@winecall.app. Customers receive notification of any material change to the subprocessor list before it takes effect.

1. Detection: structured logs reviewed on alert from uptime monitoring or manual reports.
2. Triage: within 4 business hours on weekdays, 24h on weekends. Severity classified as low/medium/high/critical.
3. Containment: affected service isolated; credentials rotated if compromise suspected.
4. Notification: affected users informed via email within 72 hours for any personal-data breach (GDPR Art. 33–34 compliant).
5. Post-mortem: written summary of cause + remediation, shared with affected parties on request.

Report a vulnerability: security@winecall.app. We acknowledge within 48 hours. Responsible-disclosure reporters are credited in release notes if desired.

• ISO 27001: not certified. Planned for when paying ARR supports the investment. Most technical controls are already in place; formal ISMS documentation is pending.
• SOC 2: not pursued. EU customers typically require ISO 27001 or BSI C5 instead.
• Penetration test: no external pentest report yet. Planned Q3 2026.
• Bug bounty: not running yet. Security reports welcome via email.

We publish this section transparently rather than claim certifications we do not hold. Enterprise customers who require formal audits: let us know, the business case can accelerate certification.