How we protect your work.

WOWMi handles Customer Content that is, by definition, sensitive — loan-officer headshots and voices, brand assets, draft scripts, compliance configurations, and (in some deployments) lead and contact information from connected CRMs. This page describes the technical and organizational controls we maintain to protect that information.

For the legal framing of these controls, see Section 6 of our Privacy Policy. For questions or specific requests (vendor-security questionnaires, SOC reports, penetration-test summaries) contact support@wowmi.com.

1. Overview

Our approach is built around four principles:

• Data minimization. We collect what we need to run the Service and nothing else.
• Least privilege. Production access is tightly scoped, audited, and revoked when no longer needed.
• Defense in depth. No single control is the only thing standing between an attacker and Customer Content.
• Customer Content is not training data.Customer Content is never used to train, fine-tune, or improve any model — ours or our vendors'.

2. Infrastructure

WOWMi is hosted on top-tier U.S. cloud providers (AWS and Google Cloud). All Customer-facing traffic terminates inside our private VPCs. Production environments are logically isolated from staging and development, and no Customer Content is ever copied to non-production environments without irreversible obfuscation.

Underlying providers maintain their own SOC 2 Type II, ISO 27001, and equivalent certifications. We rely on those controls for physical-data-center security (multi-zone availability, biometric access, 24/7 monitoring, redundant power) and inherit them by contract.

3. Encryption

• In transit. All connections between Users, the Service, and our sub-processors use TLS 1.2 or higher with strong cipher suites. HSTS is enabled on all Customer-facing domains.
• At rest.Customer Content is stored in encrypted object storage and databases using AES-256. Encryption keys are managed by the cloud provider's key-management service with rotation enabled.
• Secrets. Application secrets (API keys, signing keys, credentials) are stored in a managed secret store and never checked into source control.

4. Access controls

• SSO + MFA is required for all WOWMi staff accessing administrative systems. Hardware security keys are required for production access.
• Role-based access. Production-data access is scoped by role and approved on a need-to-know basis. Standing access to Customer Content is held by a small number of senior engineers; all other access is just-in-time and time-bounded.
• Logging. Administrative actions on production systems and Customer Content access are logged centrally and retained for at least one year.
• Offboarding. Access is revoked the same day a team member leaves; we run a quarterly access review across all systems.
• Customer-side controls. Customer admins manage User invites, role assignments, and SSO at the Customer level. Enterprise-tier Customers can require SSO and SCIM provisioning.

5. Application security

• Secure SDLC. All code changes are reviewed by a second engineer before merging. Static analysis and dependency scanning run in CI on every pull request.
• Authentication. Passwords are hashed with a modern adaptive algorithm. We support email-magic-link sign-in and SSO (SAML 2.0 / OIDC) for all Customer accounts.
• Authorization.Every API call is authorized on the server side against the User's role and the resource's Customer scope. Tenant isolation is enforced at the data-access layer.
• Input validation and output encoding follow OWASP recommendations across the stack.
• CSP, frame controls, and security headers are enforced on all Customer-facing surfaces.

6. AI vendors and Customer Content

Where Customer Content is processed by third-party AI vendors (for example, large-language-model providers or voice-synthesis providers), we use vendor configurations that:

• Disable training on submitted data;
• Apply zero-retention or short-retention modes where the vendor offers them;
• Process under business-associate or data-processing agreements where the data's sensitivity warrants it.

7. Vendor management

Every sub-processor that handles Customer Content goes through a security review before onboarding (security posture, certifications, data-handling commitments). The current sub-processor list is published in our Privacy Policy (Section 4.1) and updated when sub-processors change.

8. Vulnerability management

• Dependency scanning runs on every pull request and on a daily schedule against deployed services.
• Patching. Critical vulnerabilities are patched within 72 hours of public disclosure; high-severity within seven days; standard within 30 days.
• Penetration testing. The Service is tested annually by an independent third party. Customers under NDA may request a summary of the most recent report.
• Bug bounty / coordinated disclosure — see Section 12 below.

9. Incident response

We maintain a written incident-response plan that is reviewed at least annually. The plan covers detection, containment, eradication, recovery, and post-incident review.

If we determine that a security incident has affected a Customer's data, we will notify that Customer's designated security contact without undue delay (and within timeframes required by applicable law). Notifications include what we know, what we don't yet know, what we're doing about it, and what we recommend the Customer do.

10. Business continuity

• Backups. Customer Content is backed up daily to a separate region. Backups are encrypted and tested for restorability on a quarterly basis.
• Recovery objectives. We target a recovery-time objective (RTO) of 4 hours and a recovery-point objective (RPO) of 24 hours for Customer Content under standard plans. Enterprise plans can negotiate tighter objectives.
• Multi-region availability for stateless application tiers; database failover is tested at least annually.

11. Certifications and audits

WOWMi is not currently SOC 2 attested. We operate on cloud infrastructure (AWS, Google Cloud, Microsoft Azure) that maintains SOC 2 Type II, ISO 27001, and equivalent certifications, and we follow internal controls that align with the SOC 2 Trust Services Criteria — but we do not currently hold an independent attestation in our own name.

If a formal SOC report or equivalent attestation is a hard requirement for your procurement process, contact us so we can scope what's feasible for your team and timeline.

Customers under NDA may request:

• The most recent penetration-test summary;
• Vendor-security questionnaires (CAIQ, SIG Lite);
• Sub-processor list changes for the prior 12 months.

Email support@wowmi.comwith “Security review” in the subject line.

12. Responsible disclosure

If you believe you've found a vulnerability in the Service, we want to hear about it. Please email support@wowmi.comwith “Security disclosure” in the subject line and include:

• A description of the vulnerability and its impact;
• Reproduction steps;
• Any proof-of-concept code or screenshots;
• Your name and a way to reach you for follow-up.

We commit to acknowledging reports within two business days, keeping you updated on remediation, and not pursuing legal action against researchers who act in good faith — meaning: no privacy violations, no destruction of data, no service degradation, and no testing against accounts you don't own without explicit permission.

13. Contact

WOWMi LLC
31248 Oak Crest Drive, Suite 210
Westlake Village, CA 91361
Email: support@wowmi.com