Writer is a fully cloud-based service. We’re hosted on Google Cloud Platform (GCP). The physical servers are located in GCP US-Central 1 and access to them is managed by Google Identity and Access Management (IAM). Backup data is stored across various GCP US-West sites. You can find more information about GCP’s security practices here, and in their security whitepaper here. No data is stored outside the US.
How we process data
Writer stores the following customer data:
- User login information (which includes PII)
- Terms: Words and phrases customers maintain for special treatment by the platform
- Snippets: Blocks of standard text customers maintain for ease and consistency
- Styleguides: Rules and settings customers maintain for ease and consistency
Writer uses Google’s Cloud Key Management Service for creating, maintaining, and rotating all symmetric and assymetric encryption keys.
Writer uses Transport Layer Security (TLS 1.2 or better) to protect user data as information is in transit. HTTPS traffic is terminated on Google Cloud Loadbalancer after passing through Google Cloud Armor WAF. Certificates and keys are managed directly by the loadbalancers.
Data stored by Writer is encrypted at-rest by GCP with AES 256-bit secret keys.
Writer’s infrastructure is provisioned within an isolated production project on the Google Cloud Platform. The production project runs in a Virtual Private Cloud behind the declaratively-managed Google Cloud Firewall. Administrative access to the production environment is controlled by Google IAM requiring strong passwords, multifactor authentication, and strong end-to-end encryption.
User data privacy
The privacy of stored customer data is fundamental at Writer, and access to it is subject to published (and strict) policies and procedures. All access to our internal administration tools is logged and periodically reviewed. Access to user data is restricted and only granted as is deemed required for job function. Any access to user data requires security approval for access.
Writer employees have company-managed computers with full-disk encryption, lock-screen passwords with low timeouts, and remote wipe enabled. All personal mobile devices that access Writer systems are subject to the same management and security policies. Company systems use a single sign-on system using multi-factor authentication with strong passwords. Only Writer-managed devices (including personal mobile devices) can access our internal systems and other external systems.
Writer has been audited for several privacy and security standards and has received the following certifications:
SOC 2 Type II
Writer undergoes regular Service Organization Controls audits (SOC 2 Type II) performed by an independent third-party auditing firm. You can ask your sales rep or customer success manager for a copy of our latest SOC 2 Type II report, or email [email protected] with your request.
GDPR and CCPA
Writer is in full compliance with European General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) provisions.
Writer offers Enterprise customers the option to enter into a data processing agreement where Writer commits to process and safeguard personal data per GDPR requirements. You can download our Data Processing Addendum here.
HIPAA compliance is available on our Enterprise plan. You can ask your sales rep or customer success manager for a signed Business Associate Agreement (BAA). You may also email [email protected] with your request.
Writer maintains PCI compliance, following stringent industry standards for storing, processing, and transmitting credit card information online.
Writer conducts third-party vulnerability audits and security pen tests. The last pen test was conducted March 2021. You can ask your sales rep or customer success manager for a copy, or email [email protected] with your request.
All production environments require VPN and multifactor authentication. Writer has separate environments for development, testing, and production. All employees go through background checks before employment. All employees go through general security training twice a year, and engineers go through additional security training to gain access to production systems. Access to sensitive systems is on a need-to-know basis, and sensitive admin actions trigger notifications, which are logged and reviewed in real-time. Writer has a robust program to detect and respond to incidents, recover service, and maintain business continuity in the event of a disaster. You can ask your sales rep or customer success manager for a copy of our SSDLC documentation, or email [email protected] with your request.
Writer has had an uptime of 99.99% over the past 12 months. Enterprise customers are provided with a 99.99% SLA. We use a microservices architecture to ensure minimal impact on system health in the case of failure of one or more components. You can track Writer’s availability through our status page at status.writer.com, where you can subscribe to updates via email or text message.
Writer has dedicated security personnel who oversee:
- Everything related to security, privacy, access, reliability, and disaster response
- Ongoing risk assessment, vulnerability management, and incident recovery
- Security training for employees and company and employee device management