Trust & Security
Security That Matches the Stakes
A visa platform holds passports, identities, and the travel patterns of entire companies. We designed for that reality from the first commit: encrypted by default, audited everywhere, and honest about where we are on certification.
How It's Built
Controls, Not Adjectives
"Enterprise-grade security" means nothing without specifics. Here is what is actually running.
Encrypted with Per-Customer Keys
Sensitive fields, from passport details to case notes, are encrypted at rest with AES-256-GCM. Each customer gets their own encryption keys, held in a managed key vault and rotated on schedule. One customer's keys can never unlock another customer's data.
Offboarding Means Crypto-Shred
When a customer leaves the platform, their encryption keys are destroyed. Without the keys, the encrypted data is permanently unreadable. Offboarding is a cryptographic guarantee, not a cleanup task on somebody's list.
Access Follows the Role
Sign-in runs through SSO with your identity provider. Inside the platform, six operator roles (admin, account manager, processor, finance, logistics, support) see only what their job requires, and the backend enforces the same checks on every request.
Append-Only Audit Trails
Every change to a case, document, customer, or requirement is recorded with who made it, when, and the field values before and after. Audit entries cannot be edited or deleted. The case timeline itself is an immutable record of every event.
AI Behind the Same Guardrails
Our automation and assistants act through the same permissioned, audited APIs as people. The model is never the security boundary; identity, permissions, and audit are. And the visa knowledge engine stores rules about countries, never data about travelers.
Card Data Stays with Stripe
Client payments are processed by Stripe. Card numbers never touch or rest on Wincora's systems. Government fees paid during automation use controlled single-use cards, each one linked to its case for a clean audit trail.
Straight Answers
The Questions Your Security Team Will Ask
We would rather answer these here than have you dig for them.
Where does our data live?
In regional deployments designed to keep applicant data in its home region. We will be specific about regions and hosting during onboarding, because the honest answer depends on where you operate.
Are you SOC 2 certified?
Not yet, and we will not pretend otherwise. Our SOC 2 audit is scheduled, and the controls it examines (encryption, access control, audit logging, change management) are already running in production. We are happy to walk your security team through them before the report exists.
What about GDPR?
The platform is built for GDPR-conscious operations: encryption at rest, role-limited access, auditable processing, and crypto-shred deletion. Data processing terms are part of every beta agreement.
Can our security team review this properly?
Yes, and we would rather they did. Send us your security questionnaire and we will answer it in writing, including the parts where the answer is "not yet".
Due Diligence Welcome
Send Us Your
Security Questionnaire
We will answer it in writing and put you in front of the people who built the controls, not a sales deck.