Weelp – Security & Compliance Statement

Last updated: October 2025

At Weelp, safety begins with trust; and trust begins with data protection.
We design every feature, service, and process with a commitment to privacy, encryption, and international compliance.
Our security framework aligns with ISO 27001, GDPR, CCPA, and modern web standards for information integrity and confidentiality.

1. Our Security Philosophy

Weelp’s mission is to make safety information accessible to everyone, without compromising user security.
We believe that privacy and reliability are not optional; they are the foundation of digital confidence.

Our infrastructure is built and maintained with three guiding principles:

• Transparency: users always know what data is collected and why;

• Security by Design: protection is built into every layer of the product;

• Minimalism: only essential, non-invasive data is processed to deliver services effectively.

2. Data Encryption and Storage

All data exchanged with Weelp’s servers is encrypted using TLS 1.3 / HTTPS.
Sensitive information (user credentials, authentication tokens, or payment data) is protected through:

• end-to-end encryption,

• hashing with salted SHA-256 algorithms,

• secure key management protocols (AES-256),

• token-based authentication (JWT).

Data storage and backups are hosted on ISO 27001-certified servers within the European Union.
Weelp’s infrastructure leverages trusted partners including Squarespace, Supabase, and Mapbox, each compliant with GDPR and major global data protection frameworks.

3. Payment and Transaction Security

All financial transactions (donations or digital purchases) are processed by certified third-party providers such as Stripe, PayPal, or Apple / Google App Stores.
These partners ensure PCI-DSS Level 1 compliance; the highest level of payment security.

Weelp never stores or processes credit card details on its own servers.
Transaction data is encrypted, tokenized, and securely verified by external gateways.

4. Compliance Framework

Weelp operates under the following regulatory and ethical frameworks:

• GDPR (General Data Protection Regulation – EU)

• CCPA (California Consumer Privacy Act – US)

• CNIL (France Data Protection Authority)

• European Accessibility Act (EAA)

• Digital Services Act (DSA) for platform transparency

We review and update our compliance practices quarterly to ensure ongoing alignment with legal and technical requirements.

5. Vulnerability Management and Testing

Security is a continuous process.
Weelp performs regular audits, vulnerability scans, and penetration tests in accordance with OWASP Top 10 standards.
Critical incidents are logged, monitored, and reviewed through internal escalation procedures.

Users and researchers can report any suspected vulnerabilities or data concerns to: support@weelp.app

Each report is evaluated within 72 hours, and appropriate corrective measures are implemented as needed.

6. Access Controls and Internal Security

Access to user data is strictly limited to authorized personnel bound by confidentiality agreements.
We implement the principle of least privilege (PoLP) for all internal operations.
Every access request is logged and reviewed; sensitive administrative actions require multi-factor authentication.

7. Incident Response

In the unlikely event of a data breach or system incident, Weelp has a structured Incident Response Plan (IRP) that includes:

• immediate containment of affected systems,

• notification to users and authorities within 72 hours (GDPR requirement),

• root cause analysis and remediation.

All incidents are documented, analyzed, and reviewed to strengthen future prevention.

8. Backups and Continuity

All operational data is backed up daily and stored in secure, redundant environments.
Weelp’s disaster recovery plan ensures continuity of service in the event of hardware failure, network outage, or natural disaster.
Our systems are monitored 24/7 to ensure high availability and resilience.

9. AI and Automation Ethics

Weelp integrates artificial intelligence responsibly to enhance user experience (e.g., guide recommendations, translation assistance).
All automated systems are transparent, human-supervised, and aligned with EU AI Act principles of fairness, accountability, and non-discrimination.

We do not use AI to make automated decisions that could affect users’ rights or safety.

10. Contact and Compliance Team

For any questions regarding Weelp’s security or compliance framework, please contact:

support@weelp.app
54 Avenue de France, 75013 Paris, France

We value responsible disclosure and work with users, developers, and institutions to maintain the highest possible standards of trust.