Last updated: August 31, 2022

Contact: [email protected] (disclosure policy)

Data security is a top priority for Whywhywhy, and we follow industry best practices to secure our customers’ data.


We don’t store any customer passwords.

All sign-ins to Whywhywhy are conducted via an SSO provider. We currently use Google Workspace as our primary SSO provider, but if you use another SSO providers (such as Okta), let us know.

Data storage

All application and customer data is hosted and managed by Google Cloud Platform (GCP) using their secure data centers. We leverage many of the platform’s built-in security, privacy, and redundancy features. GCP continually monitors its data centers for risk and undergoes assessments to ensure compliance with industry standards. GPC’s data centers have numerous certifications, including ISO-27001 and SOC2.

Our Data Management Policy follows industry best practices for the classification, handling, and disposal of sensitive data.


All customer data is encrypted in transit and at rest.

Whywhywhy uses Google Cloud’s AES 256-bit encryption to secure customer data. Database credentials, authentication tokens, and query results are encrypted using Google’s Key Management Service (KMS) using a unique encryption key per customer organization. All network traffic is encrypted in transit using 256-bit encryption with TLS 1.2.

Continuous Monitoring

We use Vanta to continuously monitor our systems, people, and practices, and have begun the process of obtaining our SOC 2 Type 2 certification (expected later this year).

Data access

We follow a least-privilege approach to access and handling of data, and employees can only access data required to perform their job duties. We require SSO, 2-factor authentication, and enforce strong password policies to ensure access to cloud services is protected.

All Whywhywhy employees are required to complete annual security training (via Vanta), and sign a confidentiality agreement before their employment begins.

Incident response