Security Policy
How WUNWEY protects your data and digital credentials with enterprise-grade security.
🛡️ Our Commitment to Security
At WUNWEY, security comes first. We use multiple layers of protection, combining advanced encryption, decentralized storage, and industry best practices to safeguard your digital credentials, personal data, and interactions on our platform.
Your trust is paramount, and we continuously evolve our security posture to meet and exceed the highest standards.
🔐 Encryption & Cryptography
🔑 Private Key Protection
We secure private keys with AES-256-CBC encryption and use PBKDF2 with 100,000 iterations (SHA-256) to derive encryption keys from your passwords. Your keys are encrypted on your device; they never leave in plaintext. Cryptographically secure random generators ensure strong key creation.
🛡️ Credential Security
Credentials are encrypted end-to-end before leaving your device using secp256k1-ECDH-AES-GCM, supporting multi-recipient encryption. You retain full control over who can decrypt your credentials. Each session uses ephemeral keys to provide perfect forward secrecy.
🔐 Seed Phrase Safety
We implement industry-standard BIP39 mnemonic generation, encrypt seed phrases with your password, and provide secure recovery options. Users maintain sole responsibility for seed backups, ensuring your keys remain under your control.
🌐 Decentralized Infrastructure
🗄️ IPFS Storage
Credentials are stored in a distributed manner on the InterPlanetary File System (IPFS), providing immutable, censorship-resistant, and highly available storage. Multiple gateways (Pinata, Cloudflare, ipfs.io, dweb.link, and enterprise options) ensure redundancy and reliability.
⛓️ Blockchain Anchoring
We support anchoring proofs on Ethereum (Sepolia testnet and mainnet) through W3C-compliant Decentralized Identifiers (DIDs). Digital signatures use secp256k1 elliptic curve cryptography, enabling verifiable and tamper-evident credentials.
🔒 Application Security
🔐 Authentication & Authorization
Powered by Supabase Auth, our system uses secure JWT tokens with expiration, role-based access controls, and row-level security in the database to restrict access precisely by user and organization.
🛡️ Rate Limiting & DDoS Protection
We throttle requests per user and endpoint, enforce plan-based API rate limits, and employ infrastructure-level protections to mitigate denial-of-service attacks.
✅ Input Validation
All API endpoints enforce strict schema validation, parameterized queries prevent SQL injection, content sanitization blocks XSS attacks, and CORS policies restrict unauthorized cross-origin requests.
📊 Data Protection
🔐 Transport Security
All communication between your device and our servers is encrypted with TLS 1.3, using HTTPS exclusively. We implement certificate pinning and HSTS to guard against man-in-the-middle attacks.
🗄️ Database Security
Our PostgreSQL databases enforce row-level security, encrypt data at rest with AES-256, and maintain encrypted backups with point-in-time recovery. Access logging provides a full audit trail.
🔗 API Security
API access uses securely signed JWT keys, cryptographically verified requests, and optional IP whitelisting. Webhooks are secured with HMAC-SHA256 signatures to prevent tampering.
📋 Compliance & Industry Standards
✅ Standards Adherence
WUNWEY is fully compliant with W3C Verifiable Credentials 2.0, Decentralized Identifiers (DIDs), and JSON-LD specifications. We implement Bitcoin Improvement Proposals BIP39 and BIP44 for key management.
🔒 Privacy Regulations
We adhere to GDPR and CCPA regulations, practice data minimization, and empower users with control over their data, including rights to access and deletion.
🛡️ Security Frameworks
Our approach aligns with OWASP best practices, the NIST Cybersecurity Framework, and incorporates a Zero Trust security model. Defense in depth ensures multiple overlapping protections.
📊 Monitoring & Incident Response
👁️ Continuous Monitoring
Our platform is monitored 24/7 with AI-assisted anomaly detection, failed login tracking, and automated API abuse alerts.
🚨 Incident Management
We maintain a documented response plan to promptly contain and remediate security incidents. Affected users will be notified transparently and updates provided until resolution.
📝 Audit & Logging
System activities are logged with cryptographically protected audit trails. Logs are retained per policy and regularly audited by internal and external experts.
💡 Security Best Practices for Users
For Individuals:
- • Use strong, unique passwords
- • Enable two-factor authentication when available
- • Backup seed phrases securely offline
- • Never share private keys
- • Use hardware wallets for high-value credentials
For Organizations:
- • Enforce strict access controls
- • Audit team permissions regularly
- • Secure API keys properly
- • Rotate credentials regularly
- • Monitor usage patterns
🔍 Responsible Vulnerability Disclosure
We welcome and appreciate security researchers who help improve our platform.
To report vulnerabilities:
- • Email: team@wunwey.com
- • Use our PGP key for sensitive information (available on request)
- • Include: detailed description, reproduction steps, potential impact, and contact info
We pledge to:
- • Acknowledge reports within 24 hours
- • Provide initial assessment within 72 hours
- • Keep reporters regularly updated
- • Publicly credit responsible disclosures
📊 Transparency & Security Metrics
Certifications & Compliance:
📧 Contact Us
For security questions or to report issues:
Security is an ongoing journey. We continuously update our practices to protect your data and credentials, and we welcome your feedback.