Wonderchat Security

Protecting and securing data at Wonderchat is our top priority.


System architecture

Wonderchat’s architecture is designed to be secure and reliable. We use an n-tier architecture with firewalls between each tier and additionally within certain tiers between services. Services are accessible only by other services that require access. Access keys are rotated regularly and stored separately from our code and data.

Failout and disaster recovery

Wonderchat is built with fault tolerance capability. For our enterprise plus plan customers, our services are fully redundant with replication and failover. Services are distributed across multiple Supabase availability zones. These zones are hosted in separate data centers, protecting services against single data center failures.

Data centers

For our customers on the enterprise plan, data is hosted and managed within Supabase secure data centers. These data centers have been accredited under:

  • SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 - Type II)

We make extensive use of the capabilities and services provided by Supabase to increase privacy and control network access throughout our system. Documents that provide more details about Supabase security are available at Supabase Security.

Vulnerability scans & pentesting

Wonderchat uses security tools to continuously scan for vulnerabilities to ensure that the software is secure and up to date.


Our servers are protected by firewalls and not directly exposed to the Internet.


Data storage

Wonderchat data stores are accessible only by servers that require access. Access keys are stored separately from our source code repository and only available to the systems that require them. Additionally, production environments are sandboxed from testing environments.


We maintain secure encrypted backups of important data for a minimum of 1 days. We do not retroactively remove deleted data from backups as we may need to restore it, if removed accidentally. Backup data is fully expunged after 7 days.


We aggregate logs to secure encrypted storage. All sensitive information (API keys) is filtered from our server logs. Log data is fully expunged after 7 days.



We do not store passwords. All users log into our platform through third party account providers such as Google or Microsoft, or they simply log in through a magic link.


We monitor and rate limit authentication attempts on all accounts.

User roles

We provide multiple user roles with different permissions levels within the product. Roles vary from account owners, to managers, users, and roles that limit visibility of Personally Identifiable Information (PII).



All Wonderchat web traffic is served over HTTPS. We force HTTPS for all web resources, including our REST API, web app and public website. We also use HSTS to ensure that browsers communicate with our services using HTTPS exclusively. Additionally, we use only strong cipher suites.


Our primary databases, including backups are fully encrypted at rest by our service provider. In addition, all archives and logs are fully encrypted at rest. We use industry standard encryption algorithms.


Incident response

Wonderchat has a defined protocol for responding to security events.

Security training

All employees complete security training when they join and are continually refreshed.

Employee vetting

Wonderchat performs background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for Singapore based employees.

PCI compliance

All credit card payments paid to Wonderchat go through our payment processing partner, Paddle. Details about their security posture and PCI compliance can be found at Paddle’s Security page.


If you have any concerns or discover a security issue, please contact us directly. Our team will acknowledge receipt of each vulnerability report, conduct a thorough investigation, and then take appropriate action for resolution. We request that you do not publicly disclose any issue you discovered until after we have addressed it.

GDPR compliance powered by ComplyDog