Security

Washly runs on AWS and Cloudflare in geo-redundant regions. Production environments are isolated from development and staging, deployed via infrastructure-as-code, and protected by VPC isolation, security groups, and WAF rules. We do not operate on-premise servers.

• In transit: TLS 1.2+ for all client–server and inter-service traffic. HSTS enforced.
• At rest: AES-256 for databases, object storage, and backups.
• Passwords: hashed with bcrypt; never logged or stored in plaintext.
• Secrets: managed in a dedicated secrets vault with rotation and audit logging.

• Role-based access control (RBAC) across the platform.
• Mandatory SSO and 2FA for all Washly employees.
• Just-in-time, approval-based access to production systems.
• Quarterly access reviews and automated revocation on offboarding.

• Secure SDLC with mandatory peer code review.
• Static analysis (SAST), dependency scanning, and secret scanning on every commit.
• Annual third-party penetration tests; remediation tracked to closure.
• Public vulnerability disclosure programme — report to security@washly.app.
• OWASP Top 10 controls embedded into framework defaults (CSRF, XSS, SQLi, SSRF, IDOR).

We collect application, infrastructure, and audit logs in a centralised SIEM with 12-month retention. Anomaly detection and alerting run 24/7. Customer-visible audit logs are available in the dashboard for admin actions, logins, and data exports.

• Encrypted, daily automated backups with point-in-time recovery for the last 35 days.
• Recovery Time Objective (RTO): 4 hours.
• Recovery Point Objective (RPO): 1 hour.
• DR exercises run at least annually.

Multi-region failover for critical services. Documented runbooks for common incident types. On-call engineers respond 24/7/365.

We maintain a documented incident response plan covering detection, triage, containment, eradication, recovery, and post-mortem. Confirmed personal data breaches are reported to affected customers without undue delay, and in any case within 72 hours of confirmation, in line with the NDPA, GDPR, POPIA, and the Kenya DPA.

We use a vetted list of sub-processors (cloud, email, SMS, payments, analytics). The current list is published in our DPA. We give 30 days' notice before adding new sub-processors so you may object.

• Aligned with the SOC 2 Type II control framework (audit in progress).
• GDPR / UK GDPR compliant data handling.
• NDPA (Nigeria) registered data controller / processor.
• POPIA (South Africa) and Kenya DPA aligned.
• PCI-DSS — we never store full card numbers; payment data is tokenised by certified PSPs.

All Washly employees pass background checks (where permitted by law), sign confidentiality agreements, and complete annual security and privacy training. Endpoints are managed, encrypted, and remotely wipeable.

• Enable 2FA on all admin accounts.
• Use strong, unique passwords (we recommend a password manager).
• Grant the minimum role necessary to each staff member.
• Promptly remove access for departing staff.
• Report suspected security issues to security@washly.app.

We welcome responsible disclosure. Email security@washly.app with steps to reproduce. We acknowledge within 2 business days and aim to remediate critical issues within 30 days. Please do not publicly disclose until we confirm a fix is in place.