Security & Compliance
TellWang is built for businesses that need to verify their security posture, not just assert it. Every guarantee on this page maps to a control you can audit against the live system.
Isolation (shipped)
Every Wok is private — its own Postgres container, its own services, on its own private network. Cross-tenant traffic is impossible at the network layer. At the API layer, every request that touches a Wok is authorized server-side against the owning team and returns a 404 — not a 403 — on cross-team access, so a foreign Wok's existence is never revealed. We re-verify this isolation automatically on every release: two Woks try to reach each other's realtime channels, and any cross-talk blocks the release. See Isolation tiers for the dedicated-host and confidential tiers on the roadmap.
Region
Today every Wok runs on a single region (ca-central-1, OVH Beauharnois). Multi-region failover and "pick the region your data lives in" are on the roadmap. If your compliance posture requires a specific region today, talk to the founders before provisioning.
Disaster recovery (shipped)
Backups are written daily to separate storage from your live data (MinIO bucket, off the Wok host). RPO is up to 24 hours today; continuous-WAL PITR is on the roadmap. The restore is verified, not just claimed — an ops-agent scheduled check recreates a random tenant on a scratch host every day and asserts data integrity. Failures land in the operator's incident journal before they can affect a customer restore.
Yours to audit & to take
- Tamper-evident audit log — every state-changing cp call writes a row to a hash-chained log; each row's hash includes the previous. A leaked Bearer can write entries but can't silently rewrite history. Customers query their own org's chain via
GET /v1/audit-log; the operator runsGET /v1/audit-log/verifyagainst the same chain to detect any break. - Open source — the code that runs your Wok is open to read. "Trust us" plus "here's the source."
- Portable — export your whole Wok as Terraform HCL in one call and redeploy it on another cloud, your own account, or self-hosted. No lock-in.
Encryption & access (shipped)
- In transit — every public endpoint serves HTTPS (TLS 1.2+); HTTP redirects to HTTPS. Custom domains use Let's Encrypt with on-demand provisioning.
- At rest (cp) — per-Wok secrets (env vars, JWT secrets, OAuth client secrets, BYOK LLM API keys) are encrypted under the cp's AES-256-GCM envelope using a single root KEK. The
GET /envendpoint deliberately returns names only, never values — a leaked Bearer can't bulk-exfiltrate every configured secret in one call. - At rest (wok) — disk-level encryption via the underlying host. Per-Wok envelope encryption of customer data is on the roadmap (Phase-7).
- Access — checked on every request (no client-side authz). Wang is authorized exactly like any other caller — it can never reach another team's Wok, even if someone tries to trick it into doing so.
Compliance
GDPR / CCPA data export and deletion of your live data are supported today; backup copies age out on their retention schedule afterward. SOC 2 is on the roadmap.
Roadmap
- Multi-region — Phase-7. Today: ca-central-1 only.
- Continuous-WAL PITR — Phase-7. Today: daily logical backups (RPO ≤ 24h).
- SOC 2 Type II — Phase-7.
- Encryption at rest — disk-level today via the underlying host; per-Wok envelope-encrypted at rest is on the roadmap.