Security

Security of Whimsical customers’ data is our core concern. All data you store in Whimsical remains yours, and we are committed to ensuring that your data is not seen by anyone who should not see it.

Secure authentication

In addition to the standard e-mail/password authentication and Google SSO we also support SAML 2.0 based authentication, and both IdP and SP initiated logins. This means that you can set up integrations with systems like:

  • Okta
  • OneLogin
  • GSuite
  • and any other service supporting SAML 2.0 authentication

We also support making SAML 2.0 authentication the only authentication method on a per-workspace basis. So you can make sure that only the proper authentication method is used for your content.

Physical security

Whimsical uses Amazon Web Services (AWS) as our cloud hosting provider. We leverage AWS’ highly secure data centers to ensure physical security and integrity of all of the data you entrust us with. See https://aws.amazon.com/compliance/data-center/controls/ for more details

In addition to physical security we also extensively leverage encryption. To protect your content:

  • in transit, Whimsical uses a strong TLS 1.2 encryption
  • at rest, content in Whimsical is protected using the industry standard AES-256 encryption

Data integrity

Whimsical stores all data on highly redundant systems, to avoid any data loss.

Whimsical’s production data is also regularly backed up to a separate, isolated location and all backups are encrypted. So no matter what you build using Whimsical - it’s safe and sound!

Processes

We operate on the principle of least-required privilege, and try to provide our employees only the minimum needed permissions to the production systems and data.

We also maintain strict separation between development/staging and production environments, and production data is never used in other contexts.

Whimsical is certified under EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and actively pursuing other industry relevant certification.

Credit Card Safety
We use Stripe to accept and process credit card payments. We implement these payment technologies in a way where Whimsical doesn’t store or process any credit-card related information.

Software security

Even though we put a lot of effort into creating secure software, we acknowledge that no system is completely secure.

We use various automated software solutions to check for security issues and vulnerabilities both in our code and the in the systems we use under-the-hood. We try to apply fixes for any issues we find as soon as possible.

And if you have found a security-related issue, we are eager to hear about it. At the moment we do not offer bug bounties but we do guarantee plenty of good karma.