Privacy FAQ

1. What types of personal data are collected?

WSO2 services may collect limited personal data such as name, email address, contact details, company information, and usage-related data when users register, access services, or request support.

2. For what purposes is personal data processed?

Personal data is processed strictly for:

• Service delivery and account management
• Customer support and troubleshooting
• Contractual and legal obligations
• Security monitoring and fraud prevention

Data processing is limited to defined purposes in line with data minimization and purpose limitation principles.

4. Where is customer data stored?

Data residency depends on the deployment model:

• Cloud deployments: Data is stored in selected WSO2-managed regions
• Private deployments: Data remains within the customer's infrastructure (cloud/on-premises)

Customers retain control over data location in private deployments.

5. How is personal data protected?

WSO2 implements comprehensive security controls, including:

• Encryption in transit and at rest
• Access control and least privilege
• Secure configuration and deployment practices
• Continuous monitoring and logging

Security is embedded throughout the lifecycle via a Secure Software Development Lifecycle (SSDLC) https://security.docs.wso2.com/en/latest/security-processes/secure-software-development-process/ and operational controls.

6. Are security and privacy built into WSO2 products?

Yes. Security is integrated into all products through:

• Secure coding practices (static, dynamic, and dependency scanning)
• Regular vulnerability management processes
• Secure deployment guidelines and best practices

7. How are vulnerabilities and incidents handled?

WSO2 maintains formal processes for:

• Vulnerability management
• Responsible disclosure
• Security incident notification

Customers are notified of relevant security incidents in accordance with defined procedures.

8. Does WSO2 share personal data with third parties?

Personal data may be shared with subprocessors only where necessary for service delivery, and always under contractual and security obligations.

9. How long is personal data retained?

Data is retained only for as long as necessary to:

• Fulfill the intended purpose
• Meet contractual obligations
• Comply with legal and regulatory requirements

10. What rights do users have regarding their data?

Users may exercise rights such as:

• Access and correction
• Deletion (where applicable)
• Restriction of processing

Requests are handled in accordance with applicable data protection laws.

11. How does WSO2 ensure compliance with regulations?

WSO2 aligns with global standards and regulations through:

• Security and compliance programs
• Regular audits and risk assessments
• Implementation of privacy and security controls across products and cloud services

12. How can security or privacy concerns be reported?

Security issues can be reported through WSO2's responsible disclosure program, which ensures confidential handling and timely remediation of vulnerabilities.

13. Are WSO2 products secure by default?

WSO2 provides secure-by-design products, supported by:

• Product-level hardening guidelines (e.g., TLS, keystore management, access control)
• Deployment best practices for production environments

14. Does WSO2 monitor and improve security continuously?

Yes. WSO2 continuously improves its security posture through:

• Ongoing monitoring and assessments
• Security advisories and updates
• Community and researcher collaboration for vulnerability disclosure