Security That Matches the Stakes

A visa platform holds passports, identities, and the travel patterns of entire companies. We designed for that reality from the first commit: encrypted by default, audited everywhere, and honest about where we are on certification.

Controls, Not Adjectives

"Enterprise-grade security" means nothing without specifics. Here is what is actually running.

Encrypted with Per-Customer Keys

Sensitive fields, from passport details to case notes, are encrypted at rest with AES-256-GCM. Each customer gets their own encryption keys, held in a managed key vault and rotated on schedule. One customer's keys can never unlock another customer's data.

Offboarding Means Crypto-Shred

When a customer leaves the platform, their encryption keys are destroyed. Without the keys, the encrypted data is permanently unreadable. Offboarding is a cryptographic guarantee, not a cleanup task on somebody's list.

Access Follows the Role

Sign-in runs through SSO with your identity provider. Inside the platform, six operator roles (admin, account manager, processor, finance, logistics, support) see only what their job requires, and the backend enforces the same checks on every request.

Append-Only Audit Trails

Every change to a case, document, customer, or requirement is recorded with who made it, when, and the field values before and after. Audit entries cannot be edited or deleted. The case timeline itself is an immutable record of every event.

AI Behind the Same Guardrails

Our automation and assistants act through the same permissioned, audited APIs as people. The model is never the security boundary; identity, permissions, and audit are. And the visa knowledge engine stores rules about countries, never data about travelers.

Card Data Stays with Stripe

Client payments are processed by Stripe. Card numbers never touch or rest on Wincora's systems. Government fees paid during automation use controlled single-use cards, each one linked to its case for a clean audit trail.

The Questions Your Security Team Will Ask

We would rather answer these here than have you dig for them.

Where does our data live?

In regional deployments designed to keep applicant data in its home region. We will be specific about regions and hosting during onboarding, because the honest answer depends on where you operate.

Are you SOC 2 certified?

Not yet, and we will not pretend otherwise. Our SOC 2 audit is scheduled, and the controls it examines (encryption, access control, audit logging, change management) are already running in production. We are happy to walk your security team through them before the report exists.

What about GDPR?

The platform is built for GDPR-conscious operations: encryption at rest, role-limited access, auditable processing, and crypto-shred deletion. Data processing terms are part of every beta agreement.

Can our security team review this properly?

Yes, and we would rather they did. Send us your security questionnaire and we will answer it in writing, including the parts where the answer is "not yet".

Send Us Your Security Questionnaire

We will answer it in writing and put you in front of the people who built the controls, not a sales deck.