Security & Compliance
A pragmatic snapshot of how Warpweb handles your data — and your customers’ data — at the platform level. If your procurement review needs something not covered here, email security@warpweb.ai.
Data residency
All Warpweb customer data and generated site content is hosted in the United States. Edge cache for deployed sites runs on a global CDN — visitors get the nearest edge, the origin of record stays US.
Encryption
- In transit — TLS 1.2+ on every endpoint (
api.warpweb.ai, generated*.warpweb.appsites, custom-domain sites). HTTP requests are redirected to HTTPS. - At rest — managed-disk encryption on every database, object store, and backup. API keys and webhook signing secrets are stored as ciphertext keyed off platform-managed encryption keys.
API key hygiene
- Keys are shown in plaintext once at creation and never retrievable again. We store a hash; we cannot recover a lost key.
- Revoke or rotate any time from the dashboard. Revoked keys 401 within seconds.
- Keys never leave your account scope — they authorize only the endpoints for the account that created them.
- Rate limits + per-key audit logs are in place to detect anomalous use.
If you suspect a key has leaked, rotate immediately from the dashboard and contact support — we’ll review request logs for that key.
Webhook signing
Every outbound webhook is HMAC-SHA256-signed over ${timestamp}.${raw_body} with a per-account (lifecycle) or per-site (form) secret. See Verifying Signatures for the verification protocol and reference implementations.
Receivers should:
- Verify the signature against the raw body bytes (never re-serialized JSON).
- Reject any request whose
X-Warpweb-Timestampis more than 300 seconds from local wall clock. - Use a constant-time comparison.
The replay window is 300 seconds. The signing-secret format and verification semantics are documented; rotating the secret takes seconds via the API.
Form-submission PII
Form submissions on deployed sites are stored for 90 days by default — long enough for dead-letter recovery, short enough that we’re not a long-term data lake for visitor PII. Configure a webhook receiver and you own the long-term store. Submissions are TLS-protected end-to-end and never logged in cleartext to internal systems.
Subprocessors
Warpweb relies on the following processors for parts of the platform. Procurement-grade list, current as of the most recent docs update:
| Processor | Purpose | Data |
|---|---|---|
| Edge CDN provider | Hosts deployed sites and routes inbound traffic. | Visitor IPs, request metadata for deployed sites. |
| Registrar partner | Domain registration and DNS for sites bought via POST /v1/domains/register. | Domain name, registrant contact info (your account email by default). |
| Stripe | Credit-pack purchases and per-site monthly subscriptions. | Account email, billing details, payment card tokens (PCI scope held by Stripe). |
| Google Places | Business research (one read at site creation; cached 24h). | Business name + location you submit. No PII beyond what’s in the public Places listing. |
| AI model provider(s) | The generation engine for site content and revisions. | The business research + your prompts. Inputs are not used to train external models. |
A current canonical list is available on request — email security@warpweb.ai or attach a DPA request. We notify customers at least 30 days before any material subprocessor change.
Data deletion
- From the dashboard — Deactivate a site to take it offline immediately. Site data is preserved for 90 days for dead-letter recovery, then archived.
- Full account deletion — Email support@warpweb.ai. We action requests within 30 days of receipt. Backups roll off on a 90-day cycle.
- GDPR / CCPA — Honored. Send requests from the account email on file (or with proof of agency) to support@warpweb.ai.
DPA & contracts
A Data Processing Agreement (DPA) and Standard Contractual Clauses (SCCs) are available on request — email security@warpweb.ai. We countersign within a few business days for accounts on paid plans.
SOC 2 / ISO
Warpweb is not SOC 2 or ISO 27001 certified today. Certification is on the roadmap. If your procurement requires audited attestation, contact us and we’ll share the security questionnaire we maintain in lieu of a formal audit.
Reporting a vulnerability
Email security@warpweb.ai. We respond within one business day for any security report. Coordinated disclosure: we ask 90 days for a fix before public disclosure but won’t take legal action against good-faith research.
Logs we keep
- API requests — 30 days, surfaced in the dashboard usage view.
- Webhook deliveries — 30 days (status code, response body for 4xx/5xx, retry history; dead-letter contents). Useful for “why didn’t my receiver get this?” debugging.
- Build / revision artifacts — kept as long as the site is active; 90 days post-deactivation, then archived.
- Authentication events — 90 days (key created / rotated / revoked, login events).
What’s not covered here
If your specific compliance question isn’t in this page — HIPAA, PCI scope on customer storefronts, FedRAMP, sector-specific data-residency requirements — email security@warpweb.ai. The honest default answer for industry-specific regimes that we haven’t been audited against is “not today,” but the question itself is useful signal.