Security

Effective: November 18, 2025

This page gives an overview of security procedures that we follow building Wish.

Payments

We process payments with Stripe who is a fully PCI-compliant service provider. They are certified with PCI DSS v3.2.1 compliance.

Wish does not process or store any payment information on our servers.

Privacy

Wish does not share or sell any of your data with other sources. You can read more information about how seriously we take your privacy at our privacy policy.

Infrastructure

We use Microsoft Azure to host our technical infrastructure and servers. Microsoft Azure has the following compliance: PCI-DSS Level 1 Service Provider, ISO 27001 certified, and SOC 2 Type II.

Our database and application servers are hosted in secure, monitored data centers with restricted physical access.

Development Process

We employ both internal and external testing and validation of our development process.

Our application and code is scanned for static and dynamic code vulnerabilities. All engineers receive training and guidance regarding best in industry level security practices.

We follow secure coding practices including:

  • Regular security code reviews
  • Automated vulnerability scanning
  • Dependency security monitoring
  • Penetration testing

Encryption

Data is encrypted in transit and at rest. We work with Microsoft Azure to encrypt our data stored in our database and cached.

Cloudflare enforces strict HSTS SSL encryption across the wish platform and API endpoints.

All user authentication data is encrypted using industry-standard hashing algorithms.

Authentication & Access Control

We implement multiple layers of authentication security:

  • Multi-factor Authentication: Support for email OTP and Sign-In with Ethereum (SIWE)
  • Session Management: Secure session tokens with automatic expiration
  • Access Controls: Role-based permissions and principle of least privilege
  • Account Security: Password requirements and account lockout protection

Browser Extension Security

Our Chrome extension follows strict security practices:

  • Limited Permissions: Only requests necessary permissions for functionality
  • Secure Communication: All data transmission encrypted via HTTPS
  • Content Isolation: Extension operates in isolated contexts
  • Regular Updates: Automatic security updates and vulnerability patches

Incident Response

All engineers are trained in incident response. We have systems monitoring the performance and reliability of our servers 24x7.

Engineers serve rotating on-call rotations and are able to respond to incidents in a timely manner.

Our incident response process includes:

  • Immediate threat assessment and containment
  • User notification for security-related incidents
  • Post-incident analysis and prevention measures
  • Regular incident response drills and training

Data Protection

We implement comprehensive data protection measures:

  • Data Minimization: We only collect data necessary for service functionality
  • Access Logging: All data access is logged and monitored
  • Regular Backups: Encrypted backups with tested recovery procedures
  • Data Retention: Automatic deletion of expired data per our retention policies

Vulnerability Management

We maintain a proactive approach to security vulnerabilities:

  • Bug Bounty Program: Responsible disclosure program for security researchers
  • Regular Audits: Third-party security assessments and penetration testing
  • Patch Management: Timely application of security updates and patches
  • Continuous Monitoring: Real-time security monitoring and alerting

SOC Compliance In Progress

We have begun the process of SOC 2 Type II compliance audit. We will update this page when the audit has been completed.

Contact

If you have questions or have found a suspected vulnerability, you can contact us at security@getwish.ai.

Wish AI | The agentic wishlist for gifting