Security
How we protect your data · Last updated: 2026-05-09
1. The short version
WizeLife handles sensitive data — financial, medical, tax. We follow modern defense-in-depth practices: encrypted transport, encrypted storage, isolated user permissions, audited cloud providers, and a documented incident-response plan. We are a small team — we do not claim enterprise-grade certifications yet, but we apply the same engineering principles.
2. Encryption
- In transit: all traffic is HTTPS/TLS 1.2+. HSTS preload, no mixed content.
- At rest: Firestore encrypts all data with Google-managed keys (AES-256). Google Cloud Run and Vercel encrypt their volumes. Browser localStorage is not encrypted by us — that's handled by the device's OS-level security.
- Secrets: API keys live only in Google Cloud / Vercel / GitHub encrypted secret stores. Never committed to git, never logged.
3. Authentication & access control
- Email/password authentication via Firebase Authentication. Passwords are hashed with industry-standard algorithms (Firebase uses scrypt + per-user salt).
- Google sign-in with OAuth 2.0.
- Session tokens are JWT (Firebase ID tokens), short-lived, refreshed automatically.
- Firestore security rules enforce: each user can read/write only their own documents. Verified continuously by automated tests.
- Backend APIs require
Authorization: Bearer <Firebase ID token>. Anonymous access is rate-limited per IP.
4. Network & perimeter
- Cloudflare in front of
wizelife.ai and tax.wizelife.ai: DDoS mitigation, WAF (Web Application Firewall), bot detection.
- Security headers (HSTS, X-Frame-Options DENY, X-Content-Type-Options nosniff, strict CSP) on all pages — verified daily by our QA workflow.
- Rate limiting on all backend AI endpoints (slowapi for FastAPI, custom middleware for Express).
- CORS tightly scoped — only known WizeLife origins can call our APIs.
5. Data minimization
We collect only what's required for each tool to work. We never collect:
- Government IDs, passport numbers (free text only — not stored as IDs)
- Payment-card numbers (Stripe handles those directly when billing is live)
- Biometric data
- Geolocation beyond country level
- Browser fingerprints or device IDs for tracking
Health data and high-sensitivity financial data are stored in browser localStorage by default and only synced to Firestore if you explicitly opt in.
6. AI processing
When you query our AI:
- Your question + the structured profile context is sent over HTTPS to Google Gemini.
- For real-time research, a derived query goes to Tavily.
- Google's paid Gemini API does not use customer prompts to train models.
- We do not retain AI conversation logs after the session, beyond what you explicitly save in your profile.
Full architecture: ARCHITECTURE.md (public).
7. Continuous monitoring
- Daily QA workflow (GitHub Actions, 06:00 UTC) — runs 13 tiers of checks against every deployed page: HTTP status, console errors, broken assets, security headers, SSL expiry, accessibility (axe-core), SEO meta tags, PWA validity, multi-viewport, cross-app SSO, i18n, third-party APIs, cold-start latency, end-to-end auth flow.
- Real-time uptime monitoring via UptimeRobot — every endpoint pinged every 5 minutes. Owner alerted within 5 minutes of an outage.
- Tax-law watcher (weekly) scans for regulatory changes that affect users.
- Service Worker auto-update across all apps — every 5 minutes, the browser checks for new code and offers a one-click upgrade.
8. Incident response
If a data breach occurs:
- Affected users are notified via email within 72 hours (per Israeli Privacy Law and GDPR Article 33).
- The Israeli Privacy Protection Authority is notified, if required by the breach severity.
- A post-mortem is published on this page.
- Compromised credentials are forcibly rotated.
9. Vendor due diligence
Critical vendors and their compliance posture:
| Vendor | Role | Standards |
|---|
| Google Firebase / Cloud | Auth + database + AI | SOC 1/2/3, ISO 27001/17/18, HIPAA-eligible |
| Vercel | Frontend hosting | SOC 2 Type 2 |
| Google Cloud Run | Backend hosting | SOC 2, ISO 27001 |
| Cloudflare | DNS / WAF / DDoS | SOC 2, ISO 27001 |
| Tavily | Web search for AI grounding | SOC 2 in progress |
| Cloudflare Web Analytics | Privacy-first analytics (no cookies) | SOC 2, ISO 27001 |
10. Reporting a vulnerability
If you discovered a security issue, please email [email protected] with details and steps to reproduce. We respond within 48 hours.
Please:
- Do not publicly disclose before we've had a chance to fix.
- Do not access, modify, or delete other users' data.
- Do not run automated scans that degrade service.
We currently don't run a paid bug-bounty program, but we will publicly thank responsible reporters in this section.
11. Limitations & honest caveats
Things we don't have yet — and you should know:
- No SOC 2 / ISO 27001 audit (small team — those audits cost ₪50-100K). We'll pursue them when enterprise customers require it.
- No third-party penetration test on record (planned before 1,000-user milestone).
- No DPO (Data Protection Officer) — owner acts as primary contact for privacy matters.
- No HIPAA covered-entity status — WizeHealth is for personal information, not for clinical use.