Security at Wippy
You're trusting us with the most sensitive data a firm holds — client SSNs, financials, and tax documents. Here is exactly how that data is protected, in specifics rather than badges. Everything on this page is true today, not aspirational.
Sensitive fields encrypted at rest
Client SSNs, spouse SSNs, EINs, two-factor secrets, connected-email OAuth tokens, secure messages, and stored AI keys are encrypted with AES-256-GCM at the application layer — before they ever reach the database.
Encrypted file storage
Every uploaded document is encrypted with AES-256-GCM before it touches disk, with key versioning so encryption keys can be rotated without re-uploading your files.
HTTPS everywhere
Your connection to Wippy is always encrypted with TLS. There is no unencrypted way to reach the app.
Two-factor authentication
TOTP-based 2FA (Google Authenticator, 1Password, etc.) with single-use backup codes is available on every staff account.
Per-firm isolation, enforced three times
Every database query is scoped to your firm — by an auto-scoping data-access layer, by explicit per-query firm filters, and by runtime checks. Requests for another firm's records return 404, so even their existence isn't revealed.
Append-only audit log
Every sensitive action is recorded in an audit log that application code cannot edit or selectively delete — the data-access layer rejects the attempt at runtime. Tamper-evident by construction.
Your AI, your keys
AI features run on your firm's own API key. Your client data goes to the AI provider you choose, under your firm's own agreement with that provider — it is never pooled through shared platform AI keys.
Daily backups
Your data lives in a managed PostgreSQL database with automatic daily backups and point-in-time recovery.
Virus scanning on every upload
Every file upload is scanned before it's stored. If the scanner is ever unavailable, the upload is rejected rather than accepted unscanned — the pipeline fails closed.
Your data is yours
A firm admin can export the complete firm dataset — clients, returns, time, invoices, messages, and the original files — at any time, on every plan, including Free. No lock-in, no export fee.
What we don't claim
Our audience includes people who audit controls for a living, so we'd rather be precise than impressive:
- No SOC 2 certification yet. A SOC 2 audit costs tens of thousands of dollars and months of work — at our current size, that money is better spent on the engineering above. We expect to pursue certification as the firm count grows. In the meantime, everything on this page is a specific, checkable claim about how the system works — which is more than a badge tells you.
- No HIPAA claims. Wippy is built for tax practices, not healthcare providers.
- No "bank-level security" vocabulary. Marketing labels like that are unfalsifiable. We list the actual mechanisms instead, and our Data Processing Agreement names every sub-processor that touches your data.
Wippy is built and operated by its founder — a practicing CPA who runs his own firm on it every day. His own clients' SSNs and returns sit behind exactly the protections described above, so every security decision here is one he made for his own practice first. Security questions get answered by the person who wrote the code.
Want the paperwork?
The legal layer is public and readable before you sign up — no account required, no sales call.