Security & Compliance

whoot. provides enterprise-grade security with configurable MFA, immutable audit logs, certifiable access reviews, and complete permission auditing.

Multi-Factor Authentication (MFA)

whoot. supports configurable MFA policies per tenant. Choose from three modes:

• Disabled — No MFA requirement (not recommended for production)
• Optional — Users can enable MFA on their own accounts if they choose
• Enforced — All users must set up MFA before accessing the workspace

MFA uses time-based one-time passwords (TOTP) compatible with authenticator apps like Google Authenticator, Authy, and 1Password.

Audit Logging

Every significant action in whoot. is recorded in an immutable audit log. Events include:

• User logins and logouts
• Member invitations and removals
• Role assignments and changes
• Channel creation, modification, and deletion
• Add-on configuration changes
• Billing and subscription changes
• SSO and MFA configuration changes
• Recording and transcription access
• Settings changes

Each log entry includes the actor (who performed the action), the action type, the target resource, a timestamp, and the IP address.

Exporting Audit Logs

Audit logs can be exported for compliance reporting:

• Export as CSV for spreadsheet analysis
• Filter by date range, action type, or actor
• Include all metadata for complete compliance trails

Access Reviews

Periodic access reviews help you verify that every user has appropriate permissions:

1. Navigate to Settings → Security → Access Reviews
2. Start a new review cycle
3. Review each user's role, permissions, and channel assignments
4. Approve, modify, or revoke access as needed
5. Mark the review as complete — this is logged in the audit trail

Regular access reviews are a key requirement for SOC 2, ISO 27001, and other compliance frameworks.

Data Isolation

Each tenant's data is fully isolated:

• Row-level security (RLS) policies in the database ensure users can only access data belonging to their tenant
• API endpoints validate tenant membership on every request
• Audio streams are routed within tenant boundaries
• Recordings and transcripts are stored per tenant with access controls

Encryption

• In transit — All data is encrypted using TLS 1.2+. WebRTC audio uses DTLS-SRTP encryption.
• At rest — Database and file storage use AES-256 encryption

Data Retention

Configurable retention policies let you control how long data is kept:

• Recordings — Set retention periods per channel (30 days to custom)
• Transcripts — Follow the same retention as their associated recordings
• Audit logs — Retained for the lifetime of the tenant
• Chat messages — Retained for the lifetime of the channel

Expired data is automatically and permanently deleted.

Compliance Frameworks

whoot.'s security features support compliance with:

• SOC 2 Type II — Audit logging, access reviews, MFA, and encryption
• GDPR — Data isolation, retention policies, and user data controls
• ISO 27001 — Information security management controls
• HIPAA — Encryption, audit trails, and access controls (with BAA)

Next Steps

• SSO Configuration — Set up SAML SSO
• User Roles — Configure granular RBAC
• Tenant Management — Manage workspace settings