At WMC Technologies, security is a foundational principle. We are committed to protecting the confidentiality, integrity, and availability of the data entrusted to us—especially sensitive personal and medical information. Our multi-layered security approach includes robust encryption, strict access controls, regulatory compliance, and a mature incident response protocol.
This policy outlines our security practices, including encryption standards, authentication measures, data protection protocols, compliance status, and breach response procedures.
All data transmitted between your device and our servers is protected using Extended Validation Secure Sockets Layer (EV SSL) certificates issued by GlobalSign. This provides the highest level of website authentication and includes:
AES 256-bit encryption to protect data during transmission.
SHA-2 hashing to ensure data integrity.
Extended validation, allowing users to verify the legitimacy of our website directly in the browser.
This ensures that all communication—including login credentials, personal information, and health data—is encrypted and secure from interception.
We protect stored data using layered encryption techniques:
Database-Level Encryption: All sensitive databases are encrypted using AES-256 encryption, protecting the entire data store.
Field-Level Encryption: Critical data fields, including medical and identity information, are encrypted at the application level for added protection.
Key Management: Encryption keys are securely stored and managed using an enterprise-grade Key Management System (KMS) with strict access controls.
These practices help ensure data remains secure even if an internal breach or physical compromise occurs.
Two-Factor Authentication (2FA) is required for all administrator and staff accounts.
Planned Enhancements include introducing 2FA to customer accounts and expanding support for biometric authentication.
Password Security: We enforce minimum password complexity, expiration policies, and lockout mechanisms.
Role-Based Access Control (RBAC) limits system access to authorized users based on their roles.
Principle of Least Privilege ensures that only the minimum necessary permissions are granted.
Session Controls: Auto timeouts and session monitoring help protect against unauthorized access.
Hosted on cloud platforms with ISO 27001, SOC 2, and GDPR compliance.
Firewall protection, DDoS mitigation, and intrusion detection systems (IDS) are in place.
Regular security updates and patch management are performed on all systems.
We maintain clear, lawful bases for processing data and request user consent where applicable.
Users can exercise their rights to access, correct, or delete their data.
Our data handling policies support data minimization and purpose limitation principles.
For users in relevant jurisdictions, we follow HIPAA-compliant practices for electronic Protected Health Information (ePHI).
Security measures include access logging, encryption, and physical safeguards for protected data.
Compliance efforts are supported by regular internal audits and third-party assessments.
We have a formal Incident Response Plan (IRP) to address data breaches or other security events. Key steps include:
Detection: Continuous monitoring for suspicious activity.
Containment: Immediate isolation of affected systems.
Investigation: Identification of root causes and impacted systems.
Remediation: Fixes applied and systems restored securely.
Notification: Affected users and authorities notified as required (e.g., within 72 hours under GDPR).
Review: A full post-incident review and system updates to prevent recurrence.
We also conduct regular simulations and team training to ensure readiness.
Real-time monitoring using Security Information and Event Management (SIEM) tools.
Web Application Firewall (WAF) protection against common attacks, including SQL injection and cross-site scripting.
Automated vulnerability scanning of infrastructure and codebases.
Annual third-party penetration testing ensures independent validation of our defenses.
All employees undergo annual security awareness training, including:
Recognizing and reporting phishing attempts
Secure data handling procedures
Secure software development practices
Developers receive specific training on OWASP Top 10 vulnerabilities and secure coding standards.
We believe in security through transparency. Our Privacy & Security section publicly outlines:
Encryption practices in transit and at rest
Compliance efforts with GDPR and HIPAA
Our breach notification and response protocols
Security controls available to end users
We update this documentation regularly as practices evolve.
If you have questions about our security policies or would like to report a vulnerability, please contact:
Email: [email protected]
Phone: +47 123 456 789
