Security & Compliance

Security & Compliance

A pragmatic snapshot of how Warpweb handles your data — and your customers’ data — at the platform level. If your procurement review needs something not covered here, email security@warpweb.ai.

Data residency

All Warpweb customer data and generated site content is hosted in the United States. Edge cache for deployed sites runs on a global CDN — visitors get the nearest edge, the origin of record stays US.

Encryption

  • In transit — TLS 1.2+ on every endpoint (api.warpweb.ai, generated *.warpweb.app sites, custom-domain sites). HTTP requests are redirected to HTTPS.
  • At rest — managed-disk encryption on every database, object store, and backup. API keys and webhook signing secrets are stored as ciphertext keyed off platform-managed encryption keys.

API key hygiene

  • Keys are shown in plaintext once at creation and never retrievable again. We store a hash; we cannot recover a lost key.
  • Revoke or rotate any time from the dashboard. Revoked keys 401 within seconds.
  • Keys never leave your account scope — they authorize only the endpoints for the account that created them.
  • Rate limits + per-key audit logs are in place to detect anomalous use.

If you suspect a key has leaked, rotate immediately from the dashboard and contact support — we’ll review request logs for that key.

Webhook signing

Every outbound webhook is HMAC-SHA256-signed over ${timestamp}.${raw_body} with a per-account (lifecycle) or per-site (form) secret. See Verifying Signatures for the verification protocol and reference implementations.

Receivers should:

  • Verify the signature against the raw body bytes (never re-serialized JSON).
  • Reject any request whose X-Warpweb-Timestamp is more than 300 seconds from local wall clock.
  • Use a constant-time comparison.

The replay window is 300 seconds. The signing-secret format and verification semantics are documented; rotating the secret takes seconds via the API.

Form-submission PII

Form submissions on deployed sites are stored for 90 days by default — long enough for dead-letter recovery, short enough that we’re not a long-term data lake for visitor PII. Configure a webhook receiver and you own the long-term store. Submissions are TLS-protected end-to-end and never logged in cleartext to internal systems.

Subprocessors

Warpweb relies on the following processors for parts of the platform. Procurement-grade list, current as of the most recent docs update:

ProcessorPurposeData
Edge CDN providerHosts deployed sites and routes inbound traffic.Visitor IPs, request metadata for deployed sites.
Registrar partnerDomain registration and DNS for sites bought via POST /v1/domains/register.Domain name, registrant contact info (your account email by default).
StripeCredit-pack purchases and per-site monthly subscriptions.Account email, billing details, payment card tokens (PCI scope held by Stripe).
Google PlacesBusiness research (one read at site creation; cached 24h).Business name + location you submit. No PII beyond what’s in the public Places listing.
AI model provider(s)The generation engine for site content and revisions.The business research + your prompts. Inputs are not used to train external models.

A current canonical list is available on request — email security@warpweb.ai or attach a DPA request. We notify customers at least 30 days before any material subprocessor change.

Data deletion

  • From the dashboard — Deactivate a site to take it offline immediately. Site data is preserved for 90 days for dead-letter recovery, then archived.
  • Full account deletion — Email support@warpweb.ai. We action requests within 30 days of receipt. Backups roll off on a 90-day cycle.
  • GDPR / CCPA — Honored. Send requests from the account email on file (or with proof of agency) to support@warpweb.ai.

DPA & contracts

A Data Processing Agreement (DPA) and Standard Contractual Clauses (SCCs) are available on request — email security@warpweb.ai. We countersign within a few business days for accounts on paid plans.

SOC 2 / ISO

Warpweb is not SOC 2 or ISO 27001 certified today. Certification is on the roadmap. If your procurement requires audited attestation, contact us and we’ll share the security questionnaire we maintain in lieu of a formal audit.

Reporting a vulnerability

Email security@warpweb.ai. We respond within one business day for any security report. Coordinated disclosure: we ask 90 days for a fix before public disclosure but won’t take legal action against good-faith research.

Logs we keep

  • API requests — 30 days, surfaced in the dashboard usage view.
  • Webhook deliveries — 30 days (status code, response body for 4xx/5xx, retry history; dead-letter contents). Useful for “why didn’t my receiver get this?” debugging.
  • Build / revision artifacts — kept as long as the site is active; 90 days post-deactivation, then archived.
  • Authentication events — 90 days (key created / rotated / revoked, login events).

What’s not covered here

If your specific compliance question isn’t in this page — HIPAA, PCI scope on customer storefronts, FedRAMP, sector-specific data-residency requirements — email security@warpweb.ai. The honest default answer for industry-specific regimes that we haven’t been audited against is “not today,” but the question itself is useful signal.