Security
Wodo is built by a team with decades of experience writing software for governments and regulated industries — where data sovereignty, security, and compliance are the baseline, not a feature. This page describes how we protect your work today, the things we deliberately don't do, and where our security programme is going.
We try to be honest about the state of things, including what we don't yet have. If anything here is unclear or seems wrong, please write to security@wodo.co.
Identity and access
Sign-in is delegated. Wodo never stores passwords. You sign in through your identity provider — Google, Microsoft, or a custom OIDC provider configured by your organisation. Whatever sign-in policies you've set there (MFA enforcement, session length, conditional access) apply to Wodo automatically.
Passkeys (WebAuthn) for users without a supported IdP. Sign-in via your identity provider is the default. For people who don't have one — typically invited guests from outside your organisation (contractors, partners, clients) — Wodo offers WebAuthn passkeys instead, so they can sign in securely and passwordlessly without setting up another account. The private key never leaves their device.
Custom OIDC for organisations. Organisations that need their own identity provider — for compliance, for SSO with their own IDP, for federated access — can configure one. Wodo accepts the same provider for all members of that organisation.
Role separation. Within an organisation, members and admins have distinct permissions. Admin actions (member invitations, role changes, billing changes, data exports, deletions) are recorded in an audit log that organisation admins can review.
Per-space access control. Spaces inside an organisation have their own membership. People only see and edit what they've been added to.
Data residency
Choose your region. When you create a space you choose where its data lives — currently EU or Canada, with additional regions added based on demand. Workspace content — including its search index — is stored only in the region you chose. We never store or back up workspace content outside that region. During real-time sync and search, data may transit the network, but it is never written to storage in another region.
EU-first by default. Our default hosting region is the European Union. Every available region today is either inside the EU/EEA or covered by an EU adequacy decision. Canada is the second region; its EU adequacy decision covers private-sector commercial organisations under PIPEDA, which is the basis on which we operate.
Non-EU regions are an explicit choice. If we ever add a region outside the EU/EEA and outside an adequacy decision, choosing it for a space will surface a clear notice. Choosing it is an operational step; the legal safeguard is the EU Standard Contractual Clauses, together with a transfer impact assessment and any supplementary measures needed so the destination's law can't undermine them. We do not move data across the EU border without your active per-space decision and those safeguards in place.
Encryption and infrastructure
TLS 1.3 in transit. All traffic to Wodo is encrypted with modern TLS, HSTS-enforced. Authentication cookies are HTTP-only and secure.
Encryption at rest. Workspace content and database backups are encrypted on disk by our infrastructure provider.
European hosting (OVHcloud). Wodo runs on OVHcloud, a European cloud provider with extensive independent security and compliance certifications. All customer data — workspace content, accounts, files — lives exclusively in OVHcloud data centres.
European CDN (bunny.net). Static assets and application code are delivered via bunny.net, a European CDN with independent security certifications.
European email (Lettermint). Transactional email (sign-in links, notifications, invitations) is delivered via Lettermint, an EU-based email provider with a GDPR-aligned data processing agreement.
European payments (Mollie). Subscription payments are handled by Mollie, an EU-licensed payment institution authorised and supervised by De Nederlandsche Bank under PSD2.
See the Certifications section below for each provider's published compliance materials.
Audit and admin controls
Audit log. Administrative actions in an organisation — member invitations, role changes, billing changes, data exports, account deletions — and member sign-in events are recorded in an append-only audit log that organisation admins can view at any time.
Tenant isolation. Each organisation's data is scoped server-side. There is no shared workspace; access is enforced on every request, not assumed from session state.
Audited dependencies. Our server-side code is in Rust; we run automated checks against known-vulnerable dependencies on every change. We patch critical security advisories promptly.
Logging without leakage. Operational logs go to a single EU-hosted log management service. Sensitive fields are stripped at the application layer before logs ever leave the server.
Privacy by design — what we don't do
This part is shorter to write than to live by. Everything below is a deliberate absence:
- No analytics, no telemetry. Wodo does not measure what you do inside the app, beyond the operational logging needed to run it.
- No tracking pixels, no third-party scripts. The marketing site (wodo.co) and the application (app.wodo.co) load no tracking code, no advertising tags, and no behavioural analytics.
- No data sales. We do not sell, rent, or share your data with anyone outside the subprocessors listed in our DPA.
- No machine-learning training on your data. We do not use the content of your workspaces to train any model, ours or anyone else's.
- No marketing emails. The only emails you receive are operational — account, billing, security. Not because regulation forces us; because we'd rather improve the product.
Vulnerability reporting and responsible disclosure
If you've found a security issue, please tell us:
security@wodo.co — for both technical reports and suspected account compromise. We acknowledge reports within two working days and work with you to confirm, fix, and disclose. We don't sue or threaten researchers acting in good faith. We'll thank you publicly (with permission) and recognise meaningful reports.
By acting in good faith we mean: you access or modify only the minimum data needed to demonstrate the issue; you don't exfiltrate, retain, or publicly disclose others' data; you don't degrade or disrupt the service (no denial-of-service) or socially engineer our staff or users; and you give us a reasonable time to fix the issue before disclosing it. Researchers who follow this won't face legal action from us.
Certifications
We want to be precise about who holds which certifications, because the distinction matters.
Our infrastructure providers
The infrastructure your data lives on is independently audited and certified to recognised standards. These certifications cover the underlying platforms operated by our providers; they do not cover Wodo as a product. We mention them because they are what your data is built on, and procurement teams reasonably want to know that the foundations are sound.
| Provider | Role | Compliance information |
|---|---|---|
| OVHcloud | Hosting & log management | Certifications and audits |
| bunny.net | CDN | Trust Center |
| Mollie | Payments | Security & compliance |
| Lettermint | Transactional email | Trust Center |
Wodoco's own certifications
Today: Wodoco itself does not yet hold a formal security certification. Our practices are described on this page; if a procurement team needs more, write to security@wodo.co and we'll share a security questionnaire response and any other materials we have.
We mention this clearly because we don't want anyone confused about the distinction: certified infrastructure providers are part of what we offer, but they are not the same thing as Wodoco being certified, and we won't imply otherwise. Once we are ISO 27001 certified, we'll update this page.
Legal and contractual
Our security commitments are written into our customer contracts, not just this page:
- The Privacy Policy describes what personal data we process and your rights as a data subject.
- The Terms of Service include the European Continuity Promise — your right to refund and free export if Wodoco ever passes under non-EU/EEA control.
- The Data Processing Agreement — our GDPR Article 28 contract — sets out our processor obligations in detail.
If you have questions about anything on this page, write to security@wodo.co. For privacy-specific questions, privacy@wodo.co — same team either way.