Data Security & Governance
      Back to home
      1. WethosAI Knowledge Base
      2. Data Security & Governance

      Data Security & Governance

      Last Updated May 2025

      Screenshot 2025-06-13 at 11-40-54 AM

      Introduction

      WethosAI is committed to the highest standards of data security and governance. Our policy outlines the principles and practices we follow to protect the data entrusted to us by our customers, ensuring confidentiality, integrity, and availability.

      The objective of this policy is to establish and communicate our approach to data security and governance, reinforcing our dedication to safeguarding customer data against unauthorized access, disclosure, alteration, or destruction.

      This policy applies to all data and information systems used by WethosAI, including but not limited to customer data, employee data, and company proprietary data.

       

      Data Security

      This section provides an overview of the controls implemented to secure data against unauthorized access, disclosure, alteration, or destruction.

      Confidentiality

      Access Control

      This section provides an overview of the controls implemented to secure data against unauthorized access, disclosure, alteration, or destruction.

      Access to data is strictly limited to authorized personnel based on their role according to the principle of least privilege. Key components to our approach include:

      • Multi-Factor Authentication (MFA)
      • Role-Based Access Control (RBAC)
      • Regular audits and reviews
      • Access request and approval processes
      • Segregation of duties
      • Temporary access
      • Training and awareness

      Data Encryption

      Data is encrypted in transit and at rest using industry-standard cryptographic protocols.

      • At Rest. All sensitive data stored by WethosAI is encrypted using 256-bit Symmetric AES-GCM algorithm
      • In Transit. All data transmitted over public networks is encrypted using QUIC/TLS 1.3, X25519, and AES_128_GCM

      Availability

      Backup and Recovery

      Backups are performed automatically on a daily basis, ensuring consistent data snapshots that can be quickly restored. Backup integrity is routinely verified to ensure data can be effectively recovered.

      Recovery protocols are clearly defined, including steps for data restoration and validation. These protocols ensure minimal downtime and data loss in the event of hardware failure or other disruptions.

      System Maintenance

      System updates are deployed without disrupting service availability. In rare instances where service availability will be abnormally affected by an update, WethosAI will send out advance notice to our customers where feasible. These activities include updates, patches, and hardware upgrades to improve capabilities, performance and security.

      Continuous monitoring of systems detects and addresses potential issues before they affect performance or stability.

      Disaster Recovery

      Our disaster recovery strategy is supported by automated backups and regular drills to test the effectiveness of our recovery procedures, ensuring rapid restoration of services in the event of an incident.

       

      Data Governance

      This section outlines our data governance practices to ensure that your data is handled responsibly and with transparency. 

      Data Minimization

      We only collect data that is essential for delivering valuable experiences and enabling the features of the WethosAI product. Data that we collect and use is purpose-driven and directly relevant and necessary to enhance product capabilities and value.

      Data Storage and Protection

      All user data is stored on secure, encrypted servers located in North America only.

      Access to data is strictly controlled and limited to authorized personnel who require it to perform their job functions. We employ industry-standard security measures, including firewalls and regular logging. Data is backed up regularly to prevent loss in case of system failures or disasters.

      Data Retention and Disposal

      We design our data retention practices to maximize privacy and security while maintaining highly performant product features.

      Data retention practices are also linked to our data classification framework, which encompasses four classification levels: Public, Internal, Confidential, and Critical. 

      Public

      • Public data carries no risk and can be disclosed without impact. An example of public data would be a publicly shared testimonial or published use case.
      • Public data is retained for the duration of its relevance, or disposed of by request.

      Internal

      • Internal data is used for business operations, and includes data such as aggregate usage statistics or de-identified data for product improvement or performance.
      • Internal data is retained as necessary.

      Confidential

      • Confidential data includes data such as usage data and contact information, as well as data categorized as personally identifiable information (PII).
      • Confidential data is securely stored, and retained for only as long as needed to fulfill its purpose.
      • Confidential data is securely disposed of or de-identified.

      Critical

      • Critical data includes data that is essential to the delivery of the WethosAI product, and includes data such as credentials, configuration settings, and operational data.
      • Critical data is typically retained for the duration of the customer relationship, is securely stored, and securely managed via the data security processes outlined in this document.
      • Critical data disposal is managed to align with business continuity requirements, contractual obligations, and regulatory requirements.

      Data Deletion Requests

        Upon receiving a deletion request, we take prompt action to remove your information from our systems and confirm completion of the request. 

        We ensure that all data deletion processes are secure and thorough to protect your privacy.

        Data Protection

        We conduct risk assessments at scheduled intervals and prior to any major system changes to proactively identify vulnerabilities and potential threats to customer data. Based on the findings, we implement targeted security enhancements, adjust controls, and refine policies to mitigate identified risks effectively.

        Compliance and Auditing

        Legal Compliance: We comply with relevant data protection laws and regulations, depending on the location of our clients and their employees.

        Audits and Reviews: Our platform undergoes third-party audits as needed.

        Incident Response and Notification

        In the event of a data breach or security incident, we will promptly notify affected clients and take immediate action to secure the platform and mitigate any potential harm. 

         

        Policy Updates

        This policy will be reviewed annually or as required by changes in law or technology. Any amendments will be communicated to stakeholders in a timely manner.