WoooLast reviewed 2026-07-02

Trust & security

This page is maintained by Wooo to answer common security and privacy questions about the product. It describes the controls that are enabled today. It is not an independent certification.

Two promises

  1. No AI provider trains on your content. Every provider we route your data to is under a written no-train / zero-data-retention arrangement. Links to each provider's terms are in the subprocessor table below.
  2. No single provider sees enough to reconstruct your deck. We split generation across roles (planner, writer, critic, narrator) using different providers, redact named entities before any prompt leaves the workspace, and pass each writer call only the specific chunks it needs.

AI routing model

We do not use an AI gateway, router, or aggregator. Every model call goes directly from our worker to the provider's own API endpoint, under our contract with that provider.

Your workspace  ─►  Wooo worker  ─►  Provider API (Anthropic / OpenAI / Gemini / …)
                         │
                         └─►  Provenance ledger (metadata only, in your workspace)

  No third-party gateway, proxy, aggregator, or shared inference pool sits
  in this path. Zero-retention flags are applied on every call and recorded.

Encryption model

Master key (WOOO_MASTER_KEY, environment secret)
        │
        ▼ wraps
Per-workspace Data Encryption Key (DEK)
        │
        ▼ encrypts (AES-256-GCM)
Your BYOK provider keys · Uploaded source text · Slide content · Narrations

Deleting a workspace destroys its DEK. Ciphertext becomes unrecoverable
("crypto-shredding") without ever touching the underlying rows.

Context sharding

Source docs ──► Planner (Claude): outline briefs only, no raw quotes
        │
        ▼
   story_graph ──► Writer (GPT-5, per slide): ONE slide brief + minimal chunks
        │
        ▼
   slide draft ──► Critic (Gemini): rendered slide + rubric only
        │
        ▼
approved slide ──► Narrator (ElevenLabs): speaker notes text only

Named entities (companies, people, numbers) are replaced with {{TOKENS}}
locally before any call. Only your server-side worker holds the entity map,
and it is discarded when the generation finishes.

Subprocessors

ProviderWhat it seesContract tierZDRRegionSub-subprocessorsTerms
Anthropic (Claude)Redacted outline briefs onlyAPI commercial termsVerifiedUSAWS (us-east)Link ↗
OpenAI (GPT-5)One redacted slide brief per callAPI (store:false) / ZDR on EnterpriseVerifiedUSAzure (us-east)Link ↗
Google (Gemini)Rendered slide + rubric onlyPaid API tier (no-train)VerifiedUSGoogle CloudLink ↗
GroqSingle-slide edit instructionsAPI + Zero-Retention headerVerifiedUSGroqCloudLink ↗
PerplexityPublic web queries onlyAPI termsVerifiedUSAWSLink ↗
ElevenLabsSpeaker notes text onlyEnterprise (no-logging)VerifiedUSAWSLink ↗
DeepgramVoice recordings (author-initiated)Enterprise ZDRVerifiedUSAWS/GCPLink ↗
fal.aiPrompt text (no source docs)API termsVerifiedUSAWSLink ↗
Supabase (Lovable Cloud)Encrypted at restDPA + SCCsVerifiedEU/USAWSLink ↗

Data retention

DataWhereRetention
Source documents you uploadEncrypted (AES-256-GCM) with your workspace keyUntil you delete the pack or your account
Generated slides, notes, narrationsSame workspace-encrypted storeUntil you delete the pack
BYOK provider API keysEncrypted per-user with envelope encryptionUntil you remove them; wiped on account delete
Provenance events (audit log)Metadata only — hashes, not prompts90 days rolling
AI provider-side prompts / completionsProvider's servers under no-train ZDR terms0–30 days per provider policy

Confidentiality mode

Any pack can be switched into Confidentiality mode. When on, Wooo:

  • Refuses to run without your own BYOK keys for Anthropic, OpenAI, and Gemini.
  • Forces entity redaction and role sharding on every call.
  • Disables managed-key fallback and any provider without a no-train arrangement.
  • Records every call in a provenance log you can review.

What organisations typically ask

Do you have a DPA?
Yes. Contact security@wooo.app for our standard Data Processing Agreement, which includes SCCs for EU/UK transfers.
Do model providers train on our data?
No. Every provider we route to is either contractually no-train by default (Anthropic, OpenAI API, Gemini paid tier, Perplexity API) or requires an explicit zero-retention flag or Enterprise agreement (Groq, ElevenLabs, Deepgram, fal.ai). We apply the strongest available flag on every call and record it in the audit log.
Do you route through an AI gateway or aggregator?
No. Every call goes directly from our server to the provider's own API endpoint. There is no third-party router, proxy, or aggregator in the path.
What is your breach notification window?
72 hours from confirmation of a security incident affecting customer data, in line with GDPR expectations.
What is your deletion SLA?
Immediate on workspace delete (crypto-shredded within seconds). Provider-side residuals expire within each provider's stated ZDR window (0–30 days).
Can we export the audit log?
Yes. Every AI call is recorded (provider, model, BYOK vs managed, prompt hash, entity count, tokens, zero-retention flag). You can download 90 days of your workspace's audit log as CSV from /audit.
Do you have SOC 2 / ISO 27001?
Not yet — attestation is on our roadmap. We operate to those control frameworks today and can share a self-assessment on request.
Signed-in customers can download their audit log and posture pack from /audit.

Contact

Security concern, subprocessor question, or takedown request: security@wooo.app.