Security, Privacy & Compliance Overview.

At Wundo, we believe that trust is built through transparency and responsibility.

Our Security, Privacy & Compliance document outlines how we protect data, ensure secure operations, and align with European regulations such as the GDPR and the AI Act.

Security

Wundo applies appropriate technical and organizational measures to protect all personal data processed within the platform and related services, in accordance with applicable data protection legislation.

1. Encryption

  • In transit: All personal data is encrypted using TLS 1.2 or higher during transmission.

  • At rest: All personal data is encrypted using AES-256 or an equivalent standard when stored in databases and file systems.

2. Access Control

  • Access to customer data is restricted to authorized employees who require it to perform their job responsibilities.

  • Access rights are managed following a role-based access principle and reviewed on a regular basis.

  • Multi-Factor Authentication (MFA) is being rolled out for employees with access to sensitive systems

  • All personnel with such access are bound by confidentiality obligations.

  • For end user access, Wundo can work via white-listing (e.g., a MS Teams group or white-listed phone number list).

3. Monitoring and Safeguards

  • Systems are continuously monitored for unusual or unauthorized activities.

  • Access and key system events are logged to support security oversight and traceability.

  • Wundo reviews its security practices periodically and updates its safeguards as necessary to maintain appropriate protection.

4. Backup and Continuity

  • Customer data is securely backed up to support service continuity.

  • Backups are encrypted and retained for a limited period in line with Wundo’s data retention policy. Access logs and backups may be stored for up to six (6) months for security and compliance purposes.

  • Technical and organizational procedures are in place to support data recovery in case of an incident.

5. Incident and Breach Response

  • Wundo has established procedures to detect, investigate, and respond to potential security incidents or data breaches.

  • Wundo will notify the Controller within 48 hours of becoming aware of a breach.

  • Where required, the Controller will notify the relevant supervisory authority within 72 hours and, if applicable, affected data subjects.

Privacy

Wundo is committed to protecting the privacy of all users and customers. Our approach to data protection is based on transparency, minimal data use, and full compliance with the EU General Data Protection Regulation (GDPR).

1. Personal Data We Process

Wundo only processes the personal data necessary to deliver and improve the platform and related services.

This may include:

  • Identification data: name, email address, and (for WhatsApp users) mobile phone number.

  • Professional data: company name and role (if applicable).

  • Usage and interaction data: login details, session duration, functions used, messages or cues exchanged with Wundo, learning progress, and user preferences.

  • Technical data: device type, IP address, browser language, and error or performance logs.

  • Integration data: limited contextual information from tools such as Microsoft Teams and WhatsApp, when customers choose to connect them.

Wundo does not collect sensitive data (such as racial or ethnic origin, health data, political or religious beliefs).

2. Purpose of Processing

Personal data is processed to:

  • Create and manage user accounts.

  • Provide personalized leadership insights, learning cues, and AI-based recommendations.

  • Ensure platform functionality, reliability, and support.

  • Analyze anonymized usage trends to improve the product.

  • Prevent misuse and maintain system security.

  • Comply with applicable legal obligations.

3. Lawful Bases for Processing

Processing activities are based on one or more lawful bases under the GDPR:

  • Performance of a contract – providing access to and use of the Wundo platform.

  • Legitimate interests – maintaining and improving the service, ensuring security, and contacting users with relevant updates.

  • Legal obligations – retaining or sharing data when required by law.

  • Consent – when users opt in for communications, demos, or specific features. Where consent is used, it is freely given, specific, informed, and unambiguous, and can be withdrawn at any time.

4. Automated and AI-Based Processing

Wundo uses AI models to personalize learning cues and leadership insights.

These automated processes are monitored by humans, limited to the scope of the service, and do not produce legal or similarly significant effects on users.

5. Data Retention

Personal data is retained for up to six (6) months after the end of a customer or user relationship, unless a longer period is required for legal, compliance, or technical reasons (e.g. log or backup retention).

Anonymized or aggregated data used for analytics or product improvement may be retained beyond this period without identifying individuals.

6. Data Minimization and Sharing

Wundo applies strict data minimization principles. Only data necessary for service delivery is collected and stored. Personal data is never sold or shared with third parties for their own marketing or commercial purposes.

7. Sub-Processors and Data Transfers

To operate the platform, Wundo relies on trusted technology partners that process data securely within the EU or under equivalent safeguards. See the next section ‘Subprocessors’ for an overview.

Data may, in limited cases, be processed outside the EEA, always under Standard Contractual Clauses (SCCs) and equivalent protection measures.

8. Data Subject Rights

Under Articles 15–22 of the GDPR, individuals have the right to:

  • Access their personal data.

  • Request correction or deletion.

  • Restrict or object to certain processing activities.

  • Obtain their data in a portable format.

  • Object to direct marketing or automated profiling at any time.

Requests can be submitted to privacy@wundo.ai.

Wundo will respond without undue delay, typically within 30 days.

9. Consent and Withdrawal

Where processing is based on consent (for example, demos or communications), users can withdraw it at any time by contacting Wundo via the above address. After withdrawal, related processing will stop promptly.

10. Use of Anonymized Data

Wundo may analyze anonymized or aggregated usage data to improve product features, optimize AI accuracy, and enhance the overall user experience. This analysis is conducted in a way that ensures no user can be personally identified.

Subprocessors

Wundo selects subprocessors based on strict security, privacy, and compliance criteria. An overview of the subprocessors can be found via our Subprocessors page.

AI Act Alignment

Wundo is designed and operated in accordance with the principles of the EU Artificial Intelligence Act (AI Act). While Wundo does not qualify as a “high-risk AI system” under Article 6 and Annex III of the AI Act, Wundo voluntarily applies proportional safeguards consistent with the Act’s intent to ensure transparency, accountability, and safety.

1. Intended purpose & Classification

Wundo is an assistive, conversational AI platform focused on leadership learning and reflection. It does not autonomously make or enforce decisions that have legal or similarly significant effects on individuals and is intended solely for developmental and informational purposes. Accordingly, Wundo is considered a “limited-risk AI system” under the AI Act framework.

2. Voluntary compliance principles

Wundo adopts the following practices, aligned with Articles 9–15 of the AI Act:

  • Principle Implementation within Wundo Transparency (Art. 13) Users are clearly informed when they interact with Wundo ’s AI assistant. Wundo explains its purpose, scope, and limitations within the interface and documentation.

  • Human oversight (Art. 14) All AI-generated insights are advisory. Users retain full control over decisions and may ignore or modify AI suggestions at any time.

  • Data governance (Art. 10) Wundo uses only customer-provided learning material and user inputs. No external scraping or sensitive data is processed. Training data is curated and reviewed for relevance and accuracy.

  • Risk management (Art. 9) Potential risks such as misuse or bias are periodically assessed. Logs and anonymised metrics are reviewed to ensure safe operation and improve quality.

  • Record-keeping and traceability (Art. 12) Interaction logs and system metrics are retained for up to 90 days for debugging, bias detection, and misuse monitoring, after which they are pseudonymised or deleted.

  • Security (Art. 15) Encryption (TLS 1.2+, AES-256), access control, and monitoring ensure resilience and protection against unauthorised access or manipulation.

  • Accuracy and robustness (Art. 15) Wundo validates prompts and output logic to maintain relevance and reliability. Fail-safes and human moderation procedures are in place to detect anomalies.

3. Cooperation and proportionality

Wundo cooperates reasonably with customers and regulatory authorities in the event of legitimate information or audit requests related to Wundo’s AI functionality, in a manner proportionate to its role and risk classification.

Architecture

A diagram of the Wundo technical architecture can be shared upon request, via privacy@wundo.ai.

Other relevant information

  • Wundo focuses on leadership development and coaching, not on evaluation. This distinction is important for our customers, our users, and also in light of the EU AI Act.

  • Wundo uses OpenAI as the underlying large language model (LLM). The input provided by the customer and its users cannot be used by OpenAI to train or improve their models. This restriction has been contractually agreed upon.

  • Wundo currently integrates with WhatsApp and Microsoft Teams, and the platform is powered by the training material shared within those environments. There are currently no further integrations with internal OAuth, CRM/HR systems, calendars, or APIs. This is an important factor in assessing the overall risk exposure of the solution.

Compliance roadmap

Wundo takes a proactive approach to compliance and security.

To date, we have:

  • Ensured GDPR compliance in line with EU data protection requirements.

  • Implemented core security and privacy best practices.

  • Developed and maintained documentation.

As part of our ongoing roadmap, we are now from Q4 2025 onwards:

  • Introducing continuous security monitoring (e.g. via Aikido) to detect and remediate vulnerabilities in real time.

  • Implementing continuous compliance tooling (e.g. via Vanta) to streamline audits and ensure ongoing alignment with privacy and security standards.

  • Preparing to launch the ISO 27001 certification process in Q4 2025, reinforcing our long-term commitment to information security management.

Version October 16, 2025.