Security & Compliance

WinIQ Trust Center

Our commitment to protecting your data with enterprise-grade security

Last Updated: February 2026

TLS 1.3
Encryption in Transit
AES-256
Encryption at Rest
20+
Audit Event Types
RLS
Database Isolation

Security Overview

Data Protection

Control Status Details
Encryption in Transit Implemented TLS 1.3 for all API communications
Encryption at Rest Implemented AES-256-GCM field-level encryption
Database Security Implemented PostgreSQL with Row-Level Security (RLS)
Tenant Isolation Implemented Database-level isolation prevents cross-tenant access
Audit Logging Implemented 20+ security event types captured

Authentication & Access Control

Control Status Details
Password Security Implemented bcrypt hashing with configurable cost factor
JWT Authentication Implemented 1-hour token expiry, secure signing
Account Lockout Implemented 5 failed attempts triggers 30-minute lockout
Role-Based Access Implemented Admin, Manager, Engineer roles
SSO/SAML Planned Q2 2026 Azure AD, Okta, Google support
MFA Planned Q2 2026 TOTP-based authentication
IP Allowlisting Planned Q2 2026 Enterprise tier feature

Regulatory Definitions

Term Definition
GDPR Regulation (EU) 2016/679 (General Data Protection Regulation)
UK GDPR The GDPR as incorporated into UK law under the Data Protection Act 2018 (as amended)
ICO UK Information Commissioner's Office — the supervisory authority for UK GDPR and Data Protection Act 2018. WinIQ is registered with the ICO under reference ZC109190.
CCPA/CPRA California Consumer Privacy Act as amended by the California Privacy Rights Act (effective 1 January 2023)
Global Framework Alignment: Where applicable, WinIQ aligns with equivalent data protection frameworks, including CPRA (California, USA), LGPD (Brazil), PIPEDA (Canada), PDPA (Singapore), APPI (Japan), Swiss FADP, and POPIA (South Africa). See our Privacy Policy for full details.

Alignment with equivalent frameworks does not constitute formal legal certification under those regimes unless contractually agreed.

Our Role: Controller vs Processor

WinIQ's role under data protection law depends on the type of data being processed:

WinIQ as Data Controller

  • Website visitor data and analytics
  • Marketing and communications
  • Account registration information
  • Billing and payment data

WinIQ as Data Processor

  • Customer-uploaded documents
  • Customer content in the platform
  • AI analysis on customer data
  • Personal data in customer files

Data Processing Agreement (DPA): Enterprise customers can request a DPA outlining WinIQ's obligations as a processor, including security measures, subprocessor use, data subject rights assistance, and breach notification. Contact .

Compliance Status

We apply GDPR-level data protection standards globally, even where local regulations are less stringent.

Regulatory Alignment

  • ICO Registered Data Controller
    Registration reference: ZC109190 · Registered: 22 March 2026 · Expires: 21 March 2027
  • UK GDPR Controls Implemented
    Lawful basis documented, data subject rights, consent management, DPAs with subprocessors, breach notification procedures, data protection impact assessments
  • CCPA/CPRA Controls Implemented
    Consumer data rights (including right to correct and limit use of sensitive data), do-not-sell/share disclosures, privacy notice requirements

GDPR and CCPA/CPRA compliance is an ongoing obligation, not a one-time certification. We continuously review and update our controls.

Compliance Roadmap

  • SOC 2 Type II — In Progress
    Target: Q3 2026 · Scope: Security & Confidentiality trust service criteria
    Auditor: To be confirmed · Readiness assessment underway
  • ISO 27001
    Target: Q4 2026 - Controls implemented

Subprocessors

WINIQ AI LTD (trading as WinIQ) uses the following third-party subprocessors to deliver our services. All providers have Data Processing Agreements in place.

Subprocessor Purpose Location DPA Status
OpenAI AI language model provider United States DPA/SCC in place
Azure OpenAI AI language model provider EU (configurable) DPA/SCC in place
Anthropic (Claude) AI language model provider United States DPA/SCC in place
Google (Gemini) AI language model provider United States DPA/SCC in place
Google Analytics (GA4) Website analytics (consent required) United States DPA/SCC in place
FormSubmit Contact form processing United States DPA + SCCs
Stripe Payment processing United States / Ireland (EU) PCI DSS compliant
Google Cloud Platform (GCP) Application hosting, database, compute US / EU (configurable) DPA/SCC in place
IONOS Website hosting United Kingdom DPA in place
Note: Customer data is processed only to provide the WinIQ service. AI providers do not retain or train on customer data. Data residency options available for EU deployment.

Data Handling Practices

What We Collect

Data Type Purpose Retention
Account Information User authentication and billing Account lifetime + 30 days
Usage Data Service improvement and billing 2 years
Uploaded Documents AI analysis and processing Until user deletion
Audit Logs Security and compliance 1-2 years based on event type

What We Don't Do

Train AI models on customer data
Sell or share data for marketing
Access data without permission
Store data longer than necessary

Your Rights

Access
Request a copy of your data
Correction
Update inaccurate information
Deletion
Request data deletion (GDPR Art. 17)
Portability
Export in standard formats
Objection
Opt out of processing
Restriction
Limit data processing

Incident Response

In the event of a security incident affecting customer data, we follow a structured response process:

1
Detection
Automated monitoring
2
Assessment
Scope & impact
3
Notification
Within 72 hours
4
Remediation
Contain & resolve
5
Post-Incident
Root cause analysis

Report a Security Issue

If you discover a security vulnerability, please report it responsibly:

Response within 24 hours

Frequently Asked Questions

Is my data used to train AI models?

No. Your documents, RFPs, and other data are never used to train AI models. We use AI providers' APIs in a stateless manner where your data is processed and immediately discarded by the AI provider.

Where is my data stored?

By default, data is stored in cloud infrastructure in the United States. EU data residency options are available for Enterprise customers to ensure GDPR compliance.

Can WinIQ employees access my data?

Access to customer data is restricted to authorized personnel for support purposes only, and all access is logged. We do not access customer data without explicit permission except as required for service operation.

What happens to my data if I cancel?

Upon account cancellation, your data is retained for 30 days (to allow for reactivation), then permanently deleted. You can request immediate deletion at any time.

Is WinIQ SOC 2 certified?

Not yet. SOC 2 Type II certification is currently in progress, with a target completion of Q3 2026. We are in the readiness assessment phase and have not yet completed an audit. We are happy to share our current security documentation and controls inventory upon request — please contact .

Questions About Security?

Our team is here to help with any security or compliance questions.

WinIQ — WINIQ AI LTD, 86-90 Paul Street, London, England, EC2A 4NE, United Kingdom

ICO Registration: ZC109190