Whimsical Logo



Last reviewed: June 26th, 2023

Security of Whimsical customers’ data is our core concern. All data you store in Whimsical remains yours, and we are committed to ensuring that your data is not accessed by anyone without authorization.

Secure authentication

In addition to the standard e-mail/password authentication and Google SSO we also support SAML 2.0 based authentication, both IdP and SP initiated logins, and TOTP 2FA authentication. This means that you can set up integrations with systems like:

  • Okta
  • OneLogin
  • GSuite
  • and any other service supporting SAML 2.0 authentication

We also support making SAML 2.0 authentication the only authentication method on a per-workspace basis. So you can make sure that only your chosen authentication method is used for your content.

Physical security

Whimsical uses Amazon Web Services (AWS) as our cloud hosting provider. We leverage AWS’ data centers with facilities and procedures designed to ensure physical security and integrity of all of the data you entrust us with. See https://aws.amazon.com/compliance/data-center/controls/ for more details

In addition to physical security, we also leverage encryption to protect your content:

  • in transit, using strong encryption (at least TLS 1.2)
  • at rest, using AES-256 encryption

Data integrity

Whimsical stores all data on redundant systems to help prevent data loss. Data are also automatically backed up on AWS servers with the capability to provide point-in-time recovery down to the second.

Whimsical’s production data is also regularly backed up to a separate location and all backups are encrypted.


We use multiple security, monitoring, and alerting tools designed to make sure our systems are running securely and safely. These alerts are monitored 24/7 by our engineering team.


We operate on the principle of least-required privilege and try to provide our employees only the minimum needed permissions to the production systems and data.

We also maintain separation between development/staging and production environments.

We are SOC2 Type II compliant, certifying that our security policies and controls continuously meet the highest industry standards. To get a copy of the report, please visit our Trust Center located at https://trust.whimsical.com/.

We also contract reputable, independent, third-party security firms to conduct penetration testing at least once a year.

Payment Safety

We use Stripe to accept and process credit card payments. We implement these payment technologies in a such way that Whimsical doesn’t store or process any credit-card information.

Software security

Even though we put a lot of effort into creating secure software, we acknowledge that no system is completely secure.

We use various automated software solutions to check for security issues and vulnerabilities both in our code and the in our back-end systems. We apply fixes for any issues we find promptly.

We practice immutable infrastructure, where we don’t make changes to live code or running servers in production. Where applicable, we treat both our software and our infrastructure configuration as code, which means all changes go through a formal code review and an automated testing and automated deployment process.

And if you have found a security-related issue, we are eager to hear about it. At the moment, we do not offer bug bounties, but we do guarantee plenty of good karma.