How War Room handles your data.

Encryption — at rest

AES-256 across all primary data stores. Database encryption keys rotated quarterly via the platform's KMS. Backups are encrypted with the same standard.

Encryption — in transit

TLS 1.3 for every public endpoint. HSTS preload. Internal service-to-service traffic is mTLS.

Data isolation

Each customer vertical runs in a logically isolated tenant. Enterprise customers can opt into dedicated infrastructure on request.

Authentication

Email + magic link or SSO (SAML / OIDC) for all dashboards. MCP/voice access is scoped per-user, per-vertical, with revocable tokens.

Access control

Role-based access at the user level. Audit log of every read and write. The audit log is itself append-only and externally archived.

AI / LLM data handling

Model calls go through Anthropic's API with zero-retention enterprise terms. No customer data is used to train any model. Prompts are logged for debugging and retained for 30 days, then purged.

SOC 2 Type II

In progress. Targeting completion within 90 days of public launch. We will publish the report under NDA to qualified enterprise prospects.

BAA availability

Available for enterprise customers in healthcare verticals on request.

Subprocessors

Anthropic (LLM inference) · Stripe (payments) · Supabase (primary database) · Resend / Gmail (email send) · Netlify (edge hosting). Full list updated on this page when subprocessors change.

Vulnerability disclosure

Responsible disclosure welcomed at security@twinflamegroup.com. We acknowledge within 48 hours and patch within agreed timelines.