Wocha Docs

Compliance

Certifications, GDPR measures, data residency, and how to request compliance documentation.

Wocha is designed for organisations that require strong security, auditability, and regulatory alignment. This page summarises our current compliance posture and how enterprise customers can obtain documentation.


Certification status

CertificationStatusNotes
SOC 2 Type IIIn progressAudit commenced Q2 2026; report expected Q4 2026
ISO 27001PlannedTarget 2027 following SOC 2 completion
HIPAA BAAAvailable (Enterprise)Per-tenant opt-in with automatic safeguard enforcement; BAA and guide
FedRAMPNot planned

We will update this page when certifications are awarded. Enterprise customers may request a copy of our SOC 2 report under NDA once available.


GDPR compliance

Wocha acts as a data processor when you use Wocha Cloud to authenticate your end users. You remain the data controller for your users' personal data.

Measures in place

  • Data Processing Agreement (DPA) — standard template available at legal/dpa
  • Lawful processing — we process data only per your instructions via the Customer API and hosted login configuration
  • Data subject rights — tools to export, update, and delete user identities via Customer API; SCIM provisioning for directory-synchronised attributes
  • Sub-processors — listed in the DPA; 30-day advance notice for changes
  • Breach notification — we notify controllers without undue delay and within 72 hours of becoming aware of a personal data breach
  • Records of processing — maintained internally; summary available on request

For GDPR enquiries, contact privacy@wocha.ai.


Data residency

Wocha Cloud supports region selection at tenant provisioning:

RegionLocationStatus
EUEuropean Union (default)Available
USUnited StatesAvailable
APACAsia-PacificAvailable

All tenant data — identities, sessions, OAuth clients, and permissions — remains in the selected region. Cross-region replication is not enabled by default.

Planned enhancements

  • EU-only processing guarantee for enterprise contracts (no US sub-processor access)
  • UK data residency — planned Q3 2026
  • Customer-managed encryption keys (CMEK) — on enterprise roadmap

Contact sales@wocha.ai for data residency requirements not listed above.


Certifications roadmap

timeline
    title Wocha compliance roadmap
    2026 Q2 : SOC 2 Type II audit begins
    2026 Q4 : SOC 2 Type II report issued
    2027 Q2 : ISO 27001 gap assessment
    2027 Q4 : ISO 27001 certification target

Priorities are driven by customer demand and contractual requirements. Enterprise customers may influence roadmap timing through their account team.


Requesting compliance documentation

DocumentHow to request
SOC 2 Type II reportEmail compliance@wocha.ai with company name and NDA acceptance
DPA (signed)Download the DPA template or request a countersigned copy via compliance email
Sub-processor listIncluded in DPA; updated list emailed on change
Penetration test summaryAvailable to enterprise customers under NDA
Security whitepaperSecurity practices (public); detailed architecture pack on request

We aim to respond to documentation requests within 5 business days.


Enterprise compliance questionnaire

Enterprise customers often require completion of vendor security questionnaires (SIG Lite, CAIQ, custom spreadsheets).

Process:

  1. Email compliance@wocha.ai with your questionnaire and deadline
  2. We assign a compliance liaison within 2 business days
  3. Completed questionnaire returned within 10 business days (standard) or 5 business days (enterprise priority)
  4. Follow-up calls available for clarification

Include your tenant slug, company name, and primary contact in all correspondence.


On this page