Security & Compliance

Whera processes location data under the lawful basis of contract performance and explicit consent. Our privacy policy satisfies Articles 13–14 disclosure requirements. Data minimization, purpose limitation, and storage limitation are architectural constraints, not policies. Data subject rights (access, export, deletion) are implemented at the infrastructure layer and exposed to users through the app.

Whera does not sell or share personal data with third parties for advertising or commercial purposes — ever. California residents have the right to know, delete, correct, and opt out. Our privacy policy satisfies CCPA/CPRA disclosure requirements.

Washington state's My Health MY Data Act provides enhanced protections for consumer health data — including location data that can reveal health conditions through patterns of visits to medical facilities. Whera operates from Washington state and processes location data that falls within the Act's scope. Our architecture implements the Act's requirements: no selling of health data, user-controlled data collection and deletion, strict purpose limitation, and consent-based sharing.

The EU ePrivacy Directive governs cookies, electronic communications, and tracking technologies. Whera's web properties set no tracking cookies, run no analytics scripts, use no advertising networks, and self-host all fonts and assets — no requests leave the user's browser to third-party servers. The share link viewer at whra.to is built to the same standard. This is an architectural choice, not a cookie banner.

The CIS AWS Foundations Benchmark defines security best practices for AWS account configuration. Whera runs AWS Security Hub with the CIS AWS Foundations Benchmark enabled across all accounts — compliance is evaluated automatically and continuously, not just at assessment time. The benchmark covers IAM, logging, monitoring, networking, and storage configuration.

The AWS Well-Architected Framework Security Pillar defines best practices across six focus areas: security foundations, identity and access management, detection, infrastructure protection, data protection, and incident response. Whera's infrastructure was designed against all 59 best practices across the Security Pillar's ten questions. The identity and permissions areas are fully implemented — no long-lived access keys exist anywhere, all CI/CD access uses OIDC role assumption, and SCPs enforce permission guardrails across the entire AWS organization. The data protection areas are fully implemented — Enhanced Privacy mode goes beyond encryption at rest and in transit by making location data cryptographically unreadable to the server even under direct database access. The founder holds the AWS Well-Architected Proficient badge.

SLSA defines levels of supply chain security for how software is built and verified. Source Level 1 and Build Level 2 are met across all primary repositories. All code is version-controlled with authenticated changes and protected history. Builds run on GitHub Actions ephemeral hosted runners with cryptographically signed provenance attestation generated for every release artifact, SBOM generation, and artifact integrity via ECR image digest tagging.

Whera is committed to WCAG 2.1 Level AA conformance for its web properties. Our self-assessment found no failures across all four principles — Perceivable, Operable, Understandable, and Robust. The website uses semantic HTML with proper heading hierarchy, ARIA labels on interactive elements, responsive layout down to 320px, color contrast above the 4.5:1 minimum, and 31 locale-aware language attributes.

ISO 29147 defines how an organization receives and publishes vulnerability reports from external researchers. ISO 30111 defines the internal processes for investigating and remediating them. Whera implements both: a published security.txt (RFC 9116), dedicated security contact, GitHub private security advisories on all repositories, defined response timelines (14-day acknowledgement, 60-day fix target), CVSS v3.1 severity classification, automated vulnerability discovery via multiple scanning tools, a structured finding lifecycle, root cause analysis methodology, and coordinated disclosure via GitHub Security Advisories with CVE assignment capability.

The OpenSSF Best Practices Badge certifies that an open-source project follows security best practices across build, test, vulnerability reporting, cryptography, and static analysis. mls-uniffi — the open-source Rust library underlying Whera's end-to-end encryption — is being registered for the Passing badge. All blocking criteria are met: OSI-approved dual license, automated CI with tests and warnings-as-errors, cargo-audit for vulnerability scanning, cargo-deny for license enforcement, a published security vulnerability disclosure policy, contribution guidelines, and a changelog.

OpenSSF Scorecard automatically evaluates GitHub repositories against supply chain security best practices. All six Whera repositories were assessed covering binary artifact hygiene, branch protection, CI test coverage, dependency update tooling, dangerous workflow patterns, security policies, and vulnerability scanning. The assessment produced a prioritized set of supply chain improvements that we are actively working through.

NIST 800-63B defines Authenticator Assurance Levels (AAL1–3) for digital identity. Whera's authentication stack conforms to AAL2 — the level requiring multi-factor authentication with high confidence. This is met via hardware-backed DPoP device keys (iOS Secure Enclave / Android StrongBox), TOTP MFA, Argon2id password hashing with HaveIBeenPwned breach checking, zxcvbn strength metering, and device attestation. Passwords meet all NIST memorized secret requirements including no composition rules, no forced rotation, and no knowledge-based recovery questions.

Privacy by Design holds that privacy must be embedded proactively into systems before data is collected — not retrofitted after the fact. Whera's architecture was built with all seven principles as explicit design inputs: privacy-protective defaults, data minimization enforced at the code level, opt-in consent for every sharing context, end-to-end encryption as a first-class feature, full user control over data access and deletion, transparent disclosures that accurately reflect the actual implementation, and a subscription revenue model that is structurally aligned with strong privacy rather than in tension with it.

The NIST Privacy Framework structures privacy risk management across five functions: Identify, Govern, Control, Communicate, and Protect. Whera's assessment covers all 70 subcategories. Every applicable subcategory is implemented — the privacy-first architecture means most controls are built into the system rather than bolted on as policy. Key implementations include data minimization by design, purpose limitation enforced at the infrastructure layer, self-service deletion and data export, transparency pages, opt-in E2EE, pause/resume sharing, and privacy zones.

Whera conducts an annual self-assessment against all six NIST CSF 2.0 functions: Govern, Identify, Protect, Detect, Respond, and Recover. Controls are mapped across infrastructure, backend, and application layers with documented evidence for every subcategory. NIST CSF is a voluntary framework where self-assessment is the official intended mechanism for most organizations.

SAMM assesses software development process maturity across five business functions: Governance, Design, Implementation, Verification, and Operations. Our strongest areas are Implementation and Operations — CI/CD pipeline security, secret management, incident response, and environment management all score at the highest maturity level. A formal external penetration test is scheduled for Year 1 post-launch as part of our ongoing security program.

Whera's iOS and Android apps were assessed against MASVS requirements at both standard (L1) and high security (L2) levels. All L1 requirements pass across all seven categories: secure data storage, cryptography, authentication, network communication, platform interaction, code quality, and privacy. L2 requirements are met via hardware-backed non-exportable encryption keys (iOS Secure Enclave / Android StrongBox), SPKI certificate pinning, DPoP hardware-bound tokens, MLS end-to-end encryption, biometric step-up authentication for destructive actions, debugger detection with degraded-mode enforcement, explicit memory zeroing of key material after use, and R8/ProGuard full identifier obfuscation on Android release builds.

Whera's API (69 endpoints) was assessed against all ten OWASP API Security risks for 2023. All ten risks are mitigated: broken object authorization is prevented via server-side membership checks and UUID v4 IDs; authentication is hardened with DPoP hardware-bound tokens, Argon2id, HIBP breach checking, and account lockout; resource consumption is controlled with per-user sliding window rate limits; SSRF is prevented by design with no user-controlled URL fetching; and the full API is inventoried in a versioned OpenAPI spec with no undocumented endpoints.

ASVS Level 1 is the minimum security baseline for any web application. Our self-assessment covered all 14 chapters and 223 requirements — architecture, authentication, session management, access control, input validation, cryptography, error handling, data protection, communication security, malicious code defenses, business logic, file handling, API security, and configuration. The vast majority of requirements pass, with a small set legitimately not applicable to our stack.

Whera is not a HIPAA covered entity and location data is not technically Protected Health Information — but we chose to self-assess against the HIPAA Security Rule anyway. Location data can be PHI-adjacent in practice: a pattern of visits to a medical facility, a cancer center, or a mental health clinic can reveal sensitive health information even without a diagnosis attached. We believe that kind of data deserves the same care as PHI, so we opted in. HIPAA has no official certification body — self-assessment using HHS's own published methodology is the standard mechanism. All applicable specifications are implemented.

Whera self-assesses annually against all 56 safeguards in CIS Controls v8 Implementation Group 1 — the baseline set designed for small organizations covering inventory, data protection, secure configuration, account management, access control, vulnerability management, audit logging, email protections, malware defenses, data recovery, network security, security training, service provider management, application security, and incident response.

Whera's technical and organizational controls are designed against the AICPA Trust Services Criteria. Security controls include DPoP token binding, automated vulnerability scanning, GuardDuty threat detection, and immutable audit logs with S3 Object Lock. Availability controls include multi-AZ infrastructure and automated failover. Confidentiality controls include E2EE via MLS in Enhanced Privacy mode and encryption at rest for all stored data. Privacy controls align with our GDPR and CCPA compliance posture. A formal Type II report requires third-party audit engagement, which we are working toward as the business scales.

Whera's security program is designed against ISO 27001:2022 Annex A controls and ISO 27002 implementation guidance. Controls are mapped across all 93 Annex A domains. Formal ISO 27001 certification requires an accredited certification body audit, which is planned as the business scales.

As an extension to ISO 27001, ISO 27701 covers privacy information management. Whera's privacy controls — consent management, data subject rights, purpose limitation, data minimization — are aligned to the 27701 requirements. This standard directly underpins our GDPR compliance posture.

Whera's handling of personally identifiable information in AWS cloud services is aligned to ISO 27018 controls: no PII in logs, no data used for advertising, data deletion on account closure, transparency about sub-processors, and breach notification obligations.

Whera's cryptographic implementation is designed to meet FIPS 140-3 standards throughout. Our API infrastructure uses a FIPS-validated TLS 1.3 policy with post-quantum key exchange. All AWS SDK clients use FIPS endpoints. KMS key material is protected by FIPS 140-2 Level 3 HSMs. The Go enterprise server builds with BoringCrypto to use FIPS-validated primitives. For the E2EE layer, XChaCha20-Poly1305 is used in place of AES-GCM because its 192-bit nonces provide stronger safety properties for mobile-generated keys — this is a deliberate, documented cryptographic design choice. Formal FIPS certification requires CMVP laboratory testing and cannot be self-claimed.

Whera does not handle cardholder data directly — all payment processing is handled by Stripe (PCI-DSS Level 1) and the app stores — placing Whera outside primary PCI scope. We nonetheless implement PCI-DSS technical controls throughout: network segmentation, encryption at rest and in transit, access control, audit logging, vulnerability management, and secure development practices. These controls are explicitly mapped to PCI-DSS requirements across our security program.

Whera maintains a Business Continuity Plan, Disaster Recovery Plan, and Business Impact Analysis aligned to ISO 22301. Critical business functions are tiered by maximum tolerable downtime. Recovery objectives (RTO 30–60 min, RPO < 1 min for critical data) are defined and architecture is designed to meet them. Operational continuity procedures cover infrastructure outages, vendor failures, and key-person scenarios.

NIST 800-53 is the control catalog that underpins FedRAMP and federal security requirements. Whera's security controls are mapped to 800-53 control families across access control, audit and accountability, configuration management, identification and authentication, incident response, risk assessment, system and communications protection, and system and information integrity. This positions Whera for future government and federal-adjacent enterprise sales.

DORA establishes ICT risk management requirements for EU financial sector entities and their service providers. Whera's BCP, IRP, third-party vendor risk register, incident classification and reporting procedures, and supply chain security controls are all aligned to DORA's requirements. For EU financial sector customers considering Whera for employee safety or eldercare use cases, DORA alignment is part of their supplier due diligence.

CMMC Level 1 consists of 17 foundational cybersecurity practices derived from FAR 52.204-21 and NIST 800-171. These cover basic cyber hygiene: access control, identification and authentication, media protection, physical protection, system and communications protection, and system and information integrity. Whera's controls meet all 17 practices. This positions Whera for defense-adjacent and government contractor B2B customers.

The 110 security requirements of NIST 800-171 represent a thorough security posture applicable to any system handling sensitive data. Whera's controls are mapped to all 14 requirement families covering access control, cryptography, audit logging, incident response, configuration management, risk assessment, and system integrity. All requirements are fully implemented and documented, including a formal System Security Plan covering the complete authorization boundary, inherited controls, and plan of action.

COPPA governs the collection of personal information from children under 13. Whera's group-based model means minors are added to groups by a parent or guardian who controls membership. The minor role restricts account management capabilities. Location data for minor members is only visible to group admins. No behavioral profiling, no advertising, and no data sales apply to any user including minors.

AWS holds a SOC 2 Type II report covering the services Whera uses: EC2, Fargate, DynamoDB, ElastiCache, S3, KMS, CloudTrail, and others. The AWS SOC 2 report is available via AWS Artifact for enterprise customers who require it.

AWS is ISO 27001 certified across its global infrastructure and the managed services Whera relies on. AWS's ISO 27001 certificate is available via AWS Artifact.

AWS holds ISO 27017 certification — the cloud-specific extension to ISO 27001 covering controls for cloud service providers and customers. Since Whera runs entirely on AWS, this certification covers the infrastructure layer of Whera's cloud security posture.

AWS holds ISO 27018 certification, covering the protection of personally identifiable information in public cloud services. This provides infrastructure-layer coverage for Whera's handling of location data as PII — complementing Whera's own application-layer controls aligned to the same standard.

AWS holds ISO 22301 certification for business continuity management across its infrastructure. This provides an additional layer of assurance underpinning Whera's own disaster recovery and business continuity plans.

AWS is a PCI-DSS Level 1 Service Provider. Whera does not handle cardholder data directly — all payment processing is handled by Stripe — which places Whera outside primary PCI scope. The combination of AWS and Stripe provides a strong baseline for payment security.

AWS participates in the HIPAA compliance program and executes Business Associate Agreements (BAAs) covering the services Whera uses — including Fargate, DynamoDB, ElastiCache, S3, KMS, and CloudTrail. This means the infrastructure layer Whera runs on inherits AWS's HIPAA controls. Combined with Whera's own self-assessment against the Security Rule, both the infrastructure and application layers are covered.

AWS GovCloud (US) holds FedRAMP High authorization. Whera currently runs on standard AWS regions, but this authorization provides confidence in AWS's security posture and positions a future migration to GovCloud if federal customers require it.