Trust
Security at Wooho
Last updated: June 2026
Infrastructure
Wooho runs on Google Cloud / Firebase and Vercel. The web app is served from Vercel's EU (Frankfurt) region. Authentication, database, and AI embeddings run on Google Cloud with managed, continuously-patched infrastructure.
Tenant isolation
Every workspace is a separate tenant. Firestore security rules enforce default-deny access — a user can only read or write data within their own tenant, scoped by their role. All API routes independently verify the caller's tenant and role on the server.
Encryption
All traffic is encrypted in transit with TLS 1.2+ (HSTS enforced, 2-year max-age). Data at rest is encrypted by Google Cloud and Vercel using AES-256.
Authentication & access
Identity is managed by Firebase Auth with email verification. Roles (owner, manager, agent, and platform staff) gate every feature. Platform-admin and workspace data are separated; staff access is restricted by custom claims and a cookie-gated console.
Application security
A strict Content-Security-Policy with per-request nonces is applied to app routes, plus X-Frame-Options, X-Content-Type-Options, and a locked-down Permissions-Policy. Secrets are scanned in CI (gitleaks) on every change; no credentials are committed.
Payments
Card payments are processed by Polar as Merchant of Record — Wooho never sees or stores full card numbers. Egypt InstaPay transfers are verified manually against reference and amount.
AI data handling
AI answers are grounded only in the documents your workspace uploads. Prompts are guarded against injection, and unsupported questions are refused rather than guessed. Your content is used to serve your workspace, not to train shared models.
Backups & resilience
Firestore point-in-time recovery and scheduled exports protect against data loss. Rate limiting and per-tenant usage caps protect against abuse and runaway cost.
Reporting a vulnerability
Email security@wooho.app with details. We acknowledge reports within two business days and do not pursue good-faith researchers.