Compliance
Certifications, GDPR measures, data residency, and how to request compliance documentation.
Wocha is designed for organisations that require strong security, auditability, and regulatory alignment. This page summarises our current compliance posture and how enterprise customers can obtain documentation.
Certification status
| Certification | Status | Notes |
|---|---|---|
| SOC 2 Type II | In progress | Audit commenced Q2 2026; report expected Q4 2026 |
| ISO 27001 | Planned | Target 2027 following SOC 2 completion |
| HIPAA BAA | Available (Enterprise) | Per-tenant opt-in with automatic safeguard enforcement; BAA and guide |
| FedRAMP | Not planned | — |
We will update this page when certifications are awarded. Enterprise customers may request a copy of our SOC 2 report under NDA once available.
GDPR compliance
Wocha acts as a data processor when you use Wocha Cloud to authenticate your end users. You remain the data controller for your users' personal data.
Measures in place
- Data Processing Agreement (DPA) — standard template available at legal/dpa
- Lawful processing — we process data only per your instructions via the Customer API and hosted login configuration
- Data subject rights — tools to export, update, and delete user identities via Customer API; SCIM provisioning for directory-synchronised attributes
- Sub-processors — listed in the DPA; 30-day advance notice for changes
- Breach notification — we notify controllers without undue delay and within 72 hours of becoming aware of a personal data breach
- Records of processing — maintained internally; summary available on request
For GDPR enquiries, contact privacy@wocha.ai.
Data residency
Wocha Cloud supports region selection at tenant provisioning:
| Region | Location | Status |
|---|---|---|
| EU | European Union (default) | Available |
| US | United States | Available |
| APAC | Asia-Pacific | Available |
All tenant data — identities, sessions, OAuth clients, and permissions — remains in the selected region. Cross-region replication is not enabled by default.
Planned enhancements
- EU-only processing guarantee for enterprise contracts (no US sub-processor access)
- UK data residency — planned Q3 2026
- Customer-managed encryption keys (CMEK) — on enterprise roadmap
Contact sales@wocha.ai for data residency requirements not listed above.
Certifications roadmap
Priorities are driven by customer demand and contractual requirements. Enterprise customers may influence roadmap timing through their account team.
Requesting compliance documentation
| Document | How to request |
|---|---|
| SOC 2 Type II report | Email compliance@wocha.ai with company name and NDA acceptance |
| DPA (signed) | Download the DPA template or request a countersigned copy via compliance email |
| Sub-processor list | Included in DPA; updated list emailed on change |
| Penetration test summary | Available to enterprise customers under NDA |
| Security whitepaper | Security practices (public); detailed architecture pack on request |
We aim to respond to documentation requests within 5 business days.
Enterprise compliance questionnaire
Enterprise customers often require completion of vendor security questionnaires (SIG Lite, CAIQ, custom spreadsheets).
Process:
- Email compliance@wocha.ai with your questionnaire and deadline
- We assign a compliance liaison within 2 business days
- Completed questionnaire returned within 10 business days (standard) or 5 business days (enterprise priority)
- Follow-up calls available for clarification
Include your tenant slug, company name, and primary contact in all correspondence.
Related documentation
- Security practices — architecture, encryption, and incident response
- Service level agreement — uptime and support commitments
- Data Processing Agreement — GDPR processing terms
- Business Associate Agreement — HIPAA BAA for healthcare customers
- HIPAA compliance guide — enabling and configuring HIPAA mode
- Status page — current platform availability