Built with least-privilege by default
WISPWolf is compliance readiness software. We've designed it so that the smallest possible amount of your data is ever in our system — and none of your clients' tax data ever is.
Least-privilege data collection
We collect only what we need to generate and maintain your WISP: name, business email, firm details, and questionnaire answers. We do not collect tax returns, taxpayer files, or client documents.
No passwords or client files
WISPWolf never asks you to upload passwords, client taxpayer information, or sensitive financial documents. Forms on this site are limited to compliance metadata.
Encryption in transit
All traffic to WISPWolf is served over TLS 1.2+. Application data in our managed database is encrypted at rest by our infrastructure provider.
Read-only Microsoft 365 integration (planned)
Our forthcoming M365 integration uses read-only Microsoft Graph scopes to verify controls such as MFA, conditional access, and encryption. We never request write permissions to your tenant.
Audit logging & roadmap
Account activity is logged for security review. Detailed customer-facing audit logs, SSO, and SOC 2 attestation are on our roadmap.
Honest disclaimer: Security is a continuously evolving discipline. WISPWolf does not claim to be invulnerable. We work to follow industry best practices, and we will publish material changes to our security posture as they happen.
Responsible disclosure
If you believe you've found a security issue in WISPWolf, please email security@wispwolf.com. We'll acknowledge within two business days and work with you in good faith to resolve it. Please do not publicly disclose the issue until we've had a reasonable opportunity to fix it.