WISERREVIEW — Enterprise Security & Compliance Pack
Comprehensive security, compliance, and legal documentation for enterprise evaluation.
Version 1.0 | March 2026
Table of Contents
1. Executive Summary
Security at a Glance
| Security Domain | What We Do |
|---|---|
| Encryption in Transit | TLS 1.2+ on all endpoints: API, dashboard, widget delivery |
| Encryption at Rest | AES-256 encryption on all databases (MongoDB Atlas) and file storage (Azure Blob, AWS S3) |
| Authentication | JWT token-based API auth, OAuth 2.0 for platform integrations, bcrypt password hashing |
| Access Control | Role-Based Access Control (RBAC) with Admin, Editor, and Viewer roles per workspace |
| DDoS & WAF Protection | Cloudflare Web Application Firewall with DDoS mitigation across all services |
| Infrastructure | Microsoft Azure App Services with auto-scaling, Docker container isolation |
| CDN & Performance | Cloudflare CDN with 300+ global edge locations for widget delivery |
| Payment Security | No credit card data touches our servers. Billing is handled by Chargebee (PCI DSS Level 1) |
| Email Security | AWS SES with DKIM/SPF domain verification for authenticated email delivery |
| Monitoring | Real-time error tracking (Sentry), Slack alerts, health-check endpoints |
| Data Isolation | Multi-tenant architecture with workspace-level logical data separation |
| CI/CD | GitHub Actions with encrypted secrets vault. No plaintext credentials in pipelines |
Infrastructure Provider Certifications
| Provider | Role | Certifications |
|---|---|---|
| Microsoft Azure | Hosting, compute, storage, message queuing | SOC 1/2/3, ISO 27001, ISO 27018, GDPR, HIPAA, PCI DSS |
| MongoDB Atlas | Primary database | SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR |
| Cloudflare | CDN, WAF, DDoS protection | SOC 2, ISO 27001, PCI DSS, GDPR |
| AWS (SES/S3) | Email delivery, file storage | SOC 1/2/3, ISO 27001, PCI DSS, GDPR, HIPAA |
| Chargebee | Billing & subscriptions | PCI DSS Level 1, SOC 2, GDPR |
Compliance Roadmap
SOC 2 Type II
On RoadmapOur controls map to SOC 2 Trust Service Criteria today. Formal certification is planned and we share our control mapping on request.
ISO 27001
On RoadmapWe follow security management practices aligned with ISO 27001 Annex A. Certification is on our roadmap.
Penetration Testing
PlanningWe are planning to bring in a third-party security firm for a formal penetration test. Results will be shared with enterprise customers on request.
Security Governance
Security responsibilities are embedded into engineering roles at WiserReview, not siloed into a separate department. The Security Officer owns the overall security program, with direct accountability across a small team structure that enables fast decision-making.
2. Platform Architecture
System Architecture
Complete view of the WiserReview platform showing all services across four security zones: the Edge Zone (Cloudflare), the Application Zone (Azure App Services), the Data Zone (MongoDB Atlas, Redis, Azure Service Bus), and External Services (AWS SES, Chargebee, Sentry). All external traffic is filtered through Cloudflare before reaching Azure-hosted application services.
All traffic enters through Cloudflare before reaching Azure-hosted services. The data zone has no public endpoints and is accessible only via IP whitelist.
Data Ingestion & Review Display
Reviews, orders, and product data enter WiserReview through four distinct ingestion paths: e-commerce platform webhooks, manual CSV imports, the review submission form, and platform API syncs. Every path is authenticated and encrypted.
All data enters through authenticated, encrypted channels. All stored data is AES-256 encrypted at rest and workspace-scoped.
Multi-Tenant Data Isolation
Every request carries a JWT token with a unique workspace identifier. All database queries, cache keys, and API responses are scoped to that workspace. No merchant can access another merchant's data.
Every request (merchant app or storefront widget) is scoped to a single tenant. Reviews, cached data, and media files are all isolated per merchant.
Widget Delivery & Storefront Safety
The WiserReview widget loads asynchronously from the CDN, executes after the merchant's page has rendered, and never sends the merchant site's cookies or credentials to WiserReview servers. Zero impact on storefront performance and security.
The WiserReview widget loads asynchronously after your page has fully rendered. It never blocks your storefront's content or performance.
Auto-Scaling & High Availability
Every layer of the platform scales independently. During traffic spikes the system automatically provisions additional capacity without manual intervention. Merchant storefronts are never affected by WiserReview scaling events.
Each layer scales independently. CDN absorbs widget traffic, compute scales horizontally, and database distributes reads across replicas.
3. Infrastructure Security
Core Services
| Service | Purpose | Hosting |
|---|---|---|
| Backend API | Business logic, authentication, integrations | Azure App Services |
| Dashboard | Merchant-facing web application (React SPA) | Azure App Services |
| Review Display & Notification Service | Review rendering, display logic, async job processing, event tracking | Azure App Services |
| Widget Service (Pixel JS) | Review widget rendering on merchant storefronts | Cloudflare CDN |
| Image Processing | Media optimization, resizing, cloud storage | Azure App Services |
Network Security
All traffic passes through Cloudflare before reaching Azure-hosted services. The data zone has no public endpoints.
Rate Limiting
| Endpoint Category | Limit | Window |
|---|---|---|
| AI text generation endpoints | 20 requests | 10 minutes |
| Review submission | Rate limited | Per IP |
| General API | Standard limits | Per IP |
Encryption in Transit
| Connection | Protocol |
|---|---|
| Browser ↔ Cloudflare | TLS 1.2+ (HTTPS enforced) |
| Cloudflare ↔ Azure App Services | TLS 1.2+ |
| App Services ↔ MongoDB Atlas | TLS encrypted connections |
| App Services ↔ Redis | Encrypted connections with password auth |
| App Services ↔ Azure Service Bus | TLS encrypted |
| Email delivery (AWS SES) | TLS encrypted |
Encryption at Rest
| Storage | Encryption Method |
|---|---|
| MongoDB Atlas | AES-256 |
| Azure Blob Storage | Server-side encryption (AES-256) |
| AWS S3 | Server-side encryption (AES-256) |
| Sensitive database fields | Application-level AES encryption before storage |
CI/CD Pipeline Security
All deployments go through GitHub Actions. Credentials are stored in encrypted secrets and never appear in source code.
Monitoring & Observability
| Capability | Implementation |
|---|---|
| Error Tracking | Real-time error monitoring and alerting via Sentry |
| Application Logging | All API requests logged with response time monitoring; abnormal latency (>5s) triggers alerts |
| Error Audit Trail | All errors captured with timestamps, context, and stack traces in dedicated log collections |
| Real-Time Alerts | Critical production errors trigger immediate Slack notifications |
| Health Checks | Dedicated health-check endpoints monitor database and cache connectivity |
| Event Tracking | 16+ event types tracked for usage analytics and anomaly detection |
Availability & Disaster Recovery
| Aspect | Details |
|---|---|
| Hosting SLA | Azure App Services: 99.95% uptime SLA |
| Auto-Scaling | Automatic horizontal scaling under high load |
| Database HA | MongoDB Atlas replica sets with automatic failover |
| Global CDN | Cloudflare CDN with 300+ edge locations |
| Queue Resilience | Azure Service Bus with automatic retry and dead-letter handling |
| Disaster Recovery | Automated database backups with point-in-time recovery |
4. Data Privacy & Protection
Data from End Consumers (Reviewers)
| Data Type | Source | Purpose |
|---|---|---|
| Name | Submitted with review or from platform order data | Display on review widget |
| Email address | Submitted with review or from platform order data | Review request emails, verification |
| Review content (text) | Submitted by customer | Display on merchant storefront |
| Star rating | Submitted by customer | Display on merchant storefront |
| Photos/videos | Optionally uploaded by customer | Display as user-generated content |
| IP address | Captured at submission | Fraud prevention, rate limiting |
| Order information | From connected e-commerce platform | Verified buyer badge, review request timing |
Data from Merchants
| Data Type | Source | Purpose |
|---|---|---|
| Store name & domain | Platform OAuth flow | Account setup, widget configuration |
| Email address | Registration | Account access, notifications |
| Password | Registration | Authentication (stored as bcrypt hash, never plaintext) |
| Product catalog | Platform API sync | Match reviews to products |
| Order data | Platform webhooks | Trigger review request emails |
| Billing information | Managed by Chargebee | Subscription management |
Data We Do NOT Collect
- Credit card and payment card data. All billing is handled by Chargebee (PCI DSS Level 1). No card data ever reaches WiserReview servers.
- Social Security Numbers or government IDs
- Health or medical information
- Biometric data
Data Lifecycle
Data is encrypted from the point of processing. Deletion is permanent. Backups follow MongoDB Atlas point-in-time recovery window.
GDPR Alignment
WiserReview acts as Data Processor on behalf of merchants (Controllers). The formal agreement governing this relationship is our Data Processing Agreement (DPA).
Legitimate Interest
Merchants have a legitimate interest in collecting and displaying customer reviews to build trust.
Consent
End consumers voluntarily submit reviews.
Contractual Necessity
Processing required to deliver the service to merchants.
Data Subject Rights
| Right | How We Support It |
|---|---|
| Right to Access | Merchants can export all review data from the dashboard. End consumers can request their data via the merchant or by contacting us directly. |
| Right to Rectification | Review content can be edited by the merchant or upon request from the consumer. |
| Right to Deletion | Merchants can delete individual reviews. Full account deletion removes all associated data. |
| Right to Data Portability | Review data can be exported in CSV format from the dashboard. |
| Right to Object | Customers can unsubscribe from review request emails at any time. |
Automated Data Deletion
WiserReview implements automated data deletion events through platform integrations. For example, Shopify's mandatory GDPR webhooks (CUSTOMERS_DATA_REQUEST, CUSTOMERS_REDACT, SHOP_REDACT) are fully supported for automated compliance.
Data Retention & Deletion
| Data Type | Retention Period | Deletion Trigger |
|---|---|---|
| Reviews | Retained while merchant account is active | Merchant deletes review, or account closure |
| Customer email/name | Retained while merchant account is active | GDPR deletion request, or account closure |
| Order references | Retained while merchant account is active | Account closure |
| Account data | Retained while account is active | Merchant requests account deletion |
| Error logs | 90 days | Automatic rotation |
| Cache data | Transient (hours) | Automatic expiration |
Breach Notification
In the event of a confirmed personal data breach, affected merchants will be notified within 72 hours of discovery, in compliance with GDPR Article 33. A root cause analysis will be conducted and remediation steps implemented. The relevant supervisory authority will be notified where required.
CCPA (California Residents)
WiserReview does not sell personal information. California residents may exercise their Right to Know, Right to Delete, and Right to Non-Discrimination by contacting [email protected]. We will respond within 45 days.
5. Compliance & Certifications
Current Compliance Status
| Certification | WiserReview Status | Infrastructure Provider Status |
|---|---|---|
| SOC 2 Type II | On our roadmap | Azure (SOC 2), MongoDB Atlas (SOC 2), AWS (SOC 2), Cloudflare (SOC 2) |
| ISO 27001 | On our roadmap | Azure (ISO 27001), MongoDB Atlas (ISO 27001), Cloudflare (ISO 27001), AWS (ISO 27001) |
| Penetration Testing | Third-party engagement planned | Cloudflare WAF provides continuous security monitoring |
| PCI DSS | Not in scope (no card data) | Chargebee (PCI DSS Level 1) handles all billing |
| GDPR | Aligned: automated data deletion, data subject rights supported | All providers GDPR compliant |
SOC 2 Trust Service Criteria: Control Mapping
We don't hold a SOC 2 Type II report yet. The table below maps our existing controls to the Security Common Criteria:
| SOC 2 Criteria | WiserReview Control |
|---|---|
| CC6.1 — Logical access controls | JWT token-based authentication; RBAC with Admin/Editor/Viewer roles |
| CC6.2 — System access authentication | Industry-standard one-way password hashing; OAuth 2.0; Cloudflare Turnstile CAPTCHA |
| CC6.3 — Access authorization | Role-based permissions per workspace; least-privilege OAuth scopes |
| CC6.6 — Boundary protection | Cloudflare WAF + DDoS; MongoDB Atlas IP whitelisting; Docker isolation |
| CC6.7 — Data transmission security | TLS 1.2+ enforced on all endpoints |
| CC7.2 — Anomaly monitoring | Sentry error tracking; Slack real-time alerts; health-check endpoints |
| CC7.3 — Security incident response | Documented incident response; 72-hour breach notification commitment |
| CC8.1 — Change management | GitHub Actions CI/CD; code review process; Docker multi-stage builds |
ISO 27001 Annex A: Control Mapping
How our practices map to ISO 27001 Annex A:
| Annex A Control | WiserReview Implementation |
|---|---|
| A.5 — Information security policies | Security practices documented in this document set |
| A.9 — Access control | JWT auth; RBAC; industry-standard password hashing; OAuth 2.0 with least privilege |
| A.10 — Cryptography | AES-256 at rest; TLS 1.2+ in transit; one-way password hashing; AES for sensitive fields |
| A.12 — Operations security | Sentry monitoring; automated health checks; CI/CD deployments |
| A.13 — Communications security | TLS 1.2+ on all endpoints; Cloudflare WAF; network isolation |
| A.14 — System development | GitHub Actions CI/CD; Docker multi-stage builds; encrypted secrets |
| A.16 — Incident management | Real-time alerts; documented incident response process |
| A.17 — Business continuity | Azure 99.95% SLA; MongoDB replica sets; auto-scaling |
| A.18 — Compliance | GDPR-aligned processing; automated data deletion; sub-processor transparency |
6. Access Control
Merchant Workspace Roles
Each merchant workspace supports three roles. Role assignments are stored in the user's JWT token context and enforced server-side on every API request. Authorization is independently enforced in the backend regardless of UI state.
| Role | Permissions |
|---|---|
| Admin | Full access to the workspace: review management, widget configuration, email sequences, branding, integrations, billing, team member invitations, account deletion |
| Editor | Review management, widget configuration, email sequences, branding. Cannot access billing, integrations, or invite/remove team members |
| Viewer | Read-only access to reviews and analytics. Cannot modify any settings or data |
Authentication Mechanisms
- JWT Token Authentication: Signed with a server-side secret; required on every API request; tokens carry user identity and workspace context
- OAuth 2.0: Authorization code flow for all platform integrations; least-privilege scopes; HMAC validation on incoming webhooks
- bcrypt Password Hashing: One-way hashing; passwords never stored in plaintext or any reversible format
- Cloudflare Turnstile CAPTCHA: Protects registration and public forms from bot abuse and credential stuffing
Production Access Controls
- No SSH access to containers: Azure App Services is a managed platform with no direct SSH access to production containers
- No direct production database access for developers: MongoDB Atlas access restricted to Engineering Lead and Security Officer only
- Deployments via CI/CD only: All production changes go through GitHub Actions: no manual file uploads or hotfixes applied directly
- MongoDB Atlas IP whitelisting: Database clusters accept connections only from authorized Azure App Service IP ranges
- GitHub encrypted secrets vault: All production credentials stored as encrypted secrets, injected at runtime only
7. Incident Response
Response Process Overview
Data breaches are reported within 72 hours per GDPR Article 33. All incidents undergo post-mortem review.
Incident Classification
| Severity | Name | Definition | Response Time |
|---|---|---|---|
| P1 | Critical | Complete service outage, confirmed data breach, or unauthorized access to customer data | Within 15 minutes |
| P2 | High | Partial service degradation affecting multiple customers, security control failure | Within 30 minutes |
| P3 | Medium | Isolated issue affecting single customer, non-critical security finding | Within 4 hours |
| P4 | Low | Cosmetic issue, minor bug with no security or data impact | Next business day |
Communication Plan
- Confirmed personal data breach: affected merchants notified within 72 hours of discovery (GDPR Article 33)
- Extended P1 service outage: customer notification within 4 hours if outage persists beyond 1 hour
- Relevant supervisory authority notified where required by GDPR or applicable law
- Post-incident review conducted within 5 business days for all P1/P2 incidents
8. Backup & Disaster Recovery
Recovery Objectives
| Metric | Target | Basis |
|---|---|---|
| RTO (Recovery Time Objective) | 4 hours | Azure App Services auto-recovery, MongoDB Atlas failover, CI/CD redeployment |
| RPO: Database | 6 hours | MongoDB Atlas Cloud Backup with hourly snapshots every 6 hours, plus replica set replication |
| RPO: Other systems | 1 hour | File storage and queue-based systems; dead-letter queue recovery |
| Widget delivery RTO | Near-zero | Cloudflare CDN continues serving cached widget assets during origin outages |
Backup Strategy
- MongoDB Atlas: Continuous automated backups with point-in-time recovery. Replica sets (minimum 3-node) with automatic failover and zero data loss
- File Storage (Azure Blob / AWS S3): Server-side AES-256 encryption at rest. AWS S3 provides 99.999999999% (11 nines) durability
- Azure Service Bus: Dead-letter queue preserves all unprocessable messages; automatic retry with configurable intervals
- Application Layer: Docker images stored in Azure Container Registry with version history. Prior deployments redeployable at any time
Disaster Recovery Scenarios
| Scenario | Response |
|---|---|
| Azure region outage | Auto-scaling redistributes load; MongoDB Atlas replica sets span availability zones; failover to secondary region if required |
| Cloudflare outage | Widget delivery may be impacted; review data and dashboard remain accessible through direct DNS fallback |
| MongoDB Atlas outage | 99.995% SLA; replica sets provide database-level redundancy |
| Mass data corruption | MongoDB Atlas point-in-time recovery to last known good state |
| Security breach requiring shutdown | Cloudflare enables maintenance mode at the edge; coordinated shutdown and recovery per Incident Response Plan |
9. Sub-Processors
The following third-party sub-processors are engaged in the processing of personal data on behalf of WiserReview:
| Sub-Processor | Purpose | Data Processed | Compliance |
|---|---|---|---|
| Microsoft Azure | Hosting, compute, storage, message queuing | All application data | SOC 2, ISO 27001, GDPR |
| MongoDB Atlas | Primary database | All structured data | SOC 2, ISO 27001, GDPR |
| Cloudflare | CDN, WAF, DDoS protection | Request metadata, cached assets | SOC 2, ISO 27001, GDPR |
| AWS SES | Email delivery | Customer email addresses, email content | SOC 2, ISO 27001, GDPR |
| AWS S3 | File storage | Uploaded media (photos/videos) | SOC 2, ISO 27001, GDPR |
| Chargebee | Billing & subscriptions | Merchant billing info (no card data stored by us) | PCI DSS Level 1, SOC 2, GDPR |
| SendGrid | Transactional email (secondary) | Email addresses, email content | SOC 2, GDPR |
| OpenAI | AI-powered review generation, grammar correction | Review text content (no PII sent) | SOC 2 |
| Sentry | Application error monitoring and diagnostics | Anonymized error context, stack traces, request metadata | SOC 2, GDPR |
10. DPA Summary
WiserReview offers a GDPR Article 28 compliant Data Processing Agreement. Below is a summary of the processing details and security measures outlined in the DPA.
Processing Details
| Aspect | Details |
|---|---|
| Subject Matter | Collection, storage, display, and management of product reviews and customer feedback |
| Nature of Processing | Automated processing: storage, retrieval, display, email delivery, analytics |
| Purpose | To provide the WiserReview review management service to the Merchant |
| Categories of Data Subjects | Merchant’s customers (end consumers who submit reviews or receive review requests) |
| Types of Personal Data | Name, email, review content, star rating, photos/videos, IP address, order reference |
| Duration | For the duration of the Merchant’s subscription, plus any retention period required by law |
Technical & Organisational Security Measures
| Measure | Detail |
|---|---|
| Encryption in Transit | TLS 1.2+ on all endpoints |
| Encryption at Rest | AES-256 on databases and file storage |
| Access Control | RBAC with Admin/Editor/Viewer roles; JWT authentication |
| Data Isolation | Workspace-level logical separation; scoped database queries |
| Network Security | Cloudflare WAF, DDoS protection, IP whitelisting for databases |
| Backup & Recovery | Continuous automated backups; point-in-time recovery |
| Monitoring | Real-time error tracking (Sentry); Slack alerts; health checks |
| Incident Response | Documented plan; 72-hour breach notification commitment |
| Secure Development | GitHub Actions CI/CD; no SSH access to production; encrypted secrets |
| Vendor Management | All sub-processors maintain SOC 2 and/or ISO 27001 certifications |
The full Data Processing Agreement is available at /dpa and can be countersigned upon request.
11. Privacy Policy Summary
Data Collected
WiserReview collects two categories of personal data: consumer data (submitted with reviews or received from e-commerce platform order data) and merchant data (provided during registration and platform integration). The detailed breakdown is covered in Section 4 above.
Data Retention
| Data Type | Retention Period | Deletion Trigger |
|---|---|---|
| Reviews | Retained while merchant account is active | Merchant deletes review, or account closure |
| Customer email/name | Retained while merchant account is active | GDPR deletion request, or account closure |
| Order references | Retained while merchant account is active | Account closure |
| Account data | Retained while account is active | Merchant requests account deletion |
| Error logs | 90 days | Automatic rotation |
| Cache data | Transient (hours) | Automatic expiration |
GDPR Rights
- Right to Access: merchants can export all data; consumers can request via merchant or directly
- Right to Rectification: review content editable by merchant or upon consumer request
- Right to Deletion: individual reviews deletable; full account deletion removes all data
- Right to Data Portability: CSV export from dashboard
- Right to Object: email unsubscribe available at any time
The full Privacy Policy is available at /privacypolicy.
12. Change Management
CI/CD Pipeline
All production deployments go through the GitHub Actions CI/CD pipeline. No changes are applied to production servers directly. The pipeline includes: code push, Docker multi-stage build, push to Azure Container Registry, staging verification, and production promotion. All credentials are stored in GitHub's encrypted secrets vault and never appear in source code or build logs.
Environment Separation
| Environment | Purpose | Access |
|---|---|---|
| Development | Local developer machines; feature development | Individual developer only |
| Staging | Integration testing; pre-production verification | Engineering team |
| Production | Live customer-facing services | CI/CD pipeline only; no direct human access to containers |
Rollback Procedures
| Method | When to Use | Time |
|---|---|---|
| Azure deployment slot swap | Instant rollback to previous version | ~5 minutes |
| Redeploy previous Docker image | Rollback from Azure Container Registry | ~15-20 minutes |
| Full rebuild from git tag | Rollback requiring source code changes | ~20-30 minutes |
13. Contact & Next Steps
Full Documentation
Ready to proceed?
If your enterprise evaluation requires a countersigned Data Processing Agreement or additional security documentation, please reach out to our team.
Request Countersigned DPA