Encryption
Files are encrypted on the client before they leave your device using AES-256 in GCM mode. Each file uses a unique per-file key, wrapped with a workspace master key, and finally wrapped with a key derived from the user's credential material. We never have access to the unwrapped keys, which is what we mean when we say "zero-knowledge."
In transit, traffic is protected by TLS 1.3 with modern cipher suites and certificate transparency monitoring. At rest, the underlying storage is again encrypted with AES-256, and the key material is rotated on a regular cadence.
Identity and access
Single sign-on through SAML 2.0 or OpenID Connect ties WIZZ Cloud accounts directly to your identity provider — Okta, Microsoft Entra ID, Google Workspace, JumpCloud, OneLogin, Ping Identity, and any other provider that speaks the standards. SCIM 2.0 user provisioning keeps lifecycle events automatic: new joiners, role changes, and offboarding propagate immediately.
Multi-factor authentication is enforceable per-workspace. We support TOTP (any authenticator app), WebAuthn (security keys and platform authenticators), and SMS as a fallback. Administrators can require MFA for all users, for specific roles, or for risky session contexts only (new device, new geography, new IP).
Permission model
Access in WIZZ Cloud is role-based, with optional attribute-based overrides. The five built-in roles — Viewer, Commenter, Editor, Manager, Admin — cover most teams, but custom roles let you express granular intent: "can read files in /finance, can manage sharing in /finance/quarterly, cannot delete." Permissions are evaluated at every request, never cached client-side.
Network and infrastructure
WIZZ Cloud runs in a hardened, multi-tenant environment with strict network segmentation. The data plane is isolated from the control plane, and customer data is partitioned at the storage layer such that one tenant's bucket cannot be addressed from another's compute context.
Production access requires hardware-bound credentials, MFA, just-in-time elevation through an approval workflow, and is logged to an external immutable store. Approximately three engineers can elevate to production on any given day, and every elevation produces a Slack message visible to the whole engineering organisation.
Compliance and certifications
- SOC 2 Type II (annual, scope covers Security, Availability, and Confidentiality)
- ISO/IEC 27001:2022 (information security management system)
- ISO/IEC 27017:2015 (cloud-specific controls)
- ISO/IEC 27018:2019 (personal data in public clouds)
- GDPR — full Data Processing Addendum and Standard Contractual Clauses available
- TISAX (for customers in the automotive supply chain)
Audit reports and certificates are available to customers and prospects under NDA via our Trust Centre.
Data residency
Customers can choose where their primary data is stored. WIZZ Cloud operates regions in Frankfurt (Germany), Amsterdam (Netherlands), Dublin (Ireland), and Stockholm (Sweden), with additional regions in London, Paris and Madrid scheduled to open in the next twelve months. EU-only customers can pin all primary and replica storage to EU regions, and we never replicate metadata to non-EU regions for those workspaces.
Incident response
Our incident response process is exercised at least quarterly with tabletop drills and at least twice a year with live game-day exercises. Customer-impacting incidents are communicated through the status page within 30 minutes of detection, and detailed post-incident reports are published within five business days. Enterprise customers receive direct outreach from a named incident commander.
Responsible disclosure
If you believe you have found a security vulnerability in WIZZ Cloud, we want to hear about it. Please send details to security@wizzair.cloud — encrypted with our PGP key if possible. Researchers acting in good faith are welcome under our safe-harbour policy, and we run a private bounty programme with hardware-key-backed identity for participating researchers.