WeWeb Platform Security

Hey folks!

I’d love to be able to use WeWeb for my organisation. We were looking at launching a job board platform on Webflow, using Whalesync, Memberstack and Airtable. We built it but before we launched some security concerns were raised about Memberstack as they are not SOC I or SOC II compliant, nor do they do penetration testing etc. Australian Privacy laws have requirements around the storage and passing of personal data (including things like email addresses).

Before we start building with WeWeb, could you please let me know what security is in place (specific questions below that I need to report on). Is there a security page I can take a look at?

1- “Are you SOC type 1 or SOC 2 certified?”
2- “Are there other information security frameworks WeWeb currently follows? Please provide names and additional details regarding implementation. For example ISO 27000, NIST, GDPR etc.”
3- “In the past 12 months, have you had a third party conduct a penetration test of your platform and infrastructure?”
4- “Do you have a physical security policy?”
5- “What country is the information of my members stored?”
6- “Are you able to tell me what platform you use for hosting i.e. AWS?”

Thanks and fingers crossed WeWeb can meet our security needs :slight_smile:

1 Like

Bumping this as no reply from the support team yet :slight_smile:

1 Like

One of our clients at Rarely Decaf in the healthcare space had similar questions.

I’ll share our experience what I understand, but it would be great for someone on the WeWeb team to confirm.

:exclamation: In general, most of these questions are likely actually only important to the back-end system/tool you use, as WeWeb is a front-end application builder and shouldn’t hold any sensitive data.:exclamation:

1- “Are you SOC type 1 or SOC 2 certified?”

To my knowledge, they are not.

2- “Are there other information security frameworks WeWeb currently follows? Please provide names and additional details regarding implementation. For example ISO 27000, NIST, GDPR etc.”

Not to my knowledge.

3- “In the past 12 months, have you had a third party conduct a penetration test of your platform and infrastructure?”

Not to my knowledge.

4- “Do you have a physical security policy?”

Not to my knowledge.

5- “What country is the information of my members stored?”

This is dependent on what back-end you’re using. No member information should be stored with WeWeb.

6- “Are you able to tell me what platform you use for hosting i.e. AWS?”

WeWeb uses Amazon’s CDN.

1 Like

Hey! Thanks for asking.

1 & 2 - We do not have certifications as of today.

3 - We did conduct pentests, the last one was 2 months ago.

4 - We do have a physical security policy

5 - it depends on your back-end and auth system choices mostly. Our servers are in Virginia, USA, but for most applications we do not store any personal data as this is handled by the back-end.

6 - AWS

Happy to jump on a call to talk about these in details. We have several customers with very high security standards who are using our platform, so hopefully this should work for your organization too :slight_smile:

1 Like

Does WeWeb have a Web Application Firewall (WAF) implemented for the applications we build?

You can separate the concerns of Weweb as build tool and weweb as host. In fact, for significant use case, I would always recommend it so you can have world-class tooling up and down the stack. Its a bit more friction to manage hosting on a separate platform when building on Weweb, but its a small price for unlocking lots of value on each side - such as hiring a hosting provider with top-grade security protections.

Yes