Skip to main content

Pre-launch · target architecture

WinsAbove is in active development and is not yet processing customer CRM data in production. The controls described below are the security architecture we are building toward. None are operational at production scale today, and we hold no third-party security attestations (SOC 2, ISO 27001, etc.). Email security@winsabove.com if you are evaluating WinsAbove as a design partner.

Designed to be a low-trust integration

We will be handling sensitive career and revenue data. The architecture below describes how we plan to handle it — read-only, minimal, encrypted, and not for resale.

Compliance posture

No certifications today

WinsAbove is pre-launch and holds no SOC 2, ISO 27001, or other third-party security attestations. SOC 2 Type II is a future objective. Buyers requiring an attestation today should treat WinsAbove as pre-attestation and evaluate on architecture and product fit instead.

GDPR & CCPA — design intent

The platform is being designed to align with GDPR and CCPA principles: data minimization, read-only processing, no sale of personal information, and data export or deletion on request. Compliance posture will be formalized prior to general availability. Reach the team at privacy@winsabove.com.

Technical architecture

Items marked live reflect the current hosting setup. Items marked planned are target controls that are not yet operational.

Live

TLS 1.3 in transit

HTTPS termination is provided by Cloudflare, which negotiates TLS 1.3 by default for the marketing site and any future API endpoints.

Live

Cloudflare WAF + DDoS

Cloudflare WAF and DDoS protection sit in front of every request. Production secrets are stored as Cloudflare Worker secrets, not in source.

Planned

Encrypted at rest

Customer data store is not yet provisioned. Once shipped, customer data will be stored on Cloudflare D1 / R2 / KV, which encrypt at rest by default.

Data access — design intent

The CRM integration is in development and not yet operational. The principles below are how the integration is being designed.

Read-only OAuth scopes

The planned integration uses merge.dev to negotiate read-only OAuth with Salesforce or HubSpot. The intended scope cannot modify, delete, or write to your CRM records.

Minimal data collection

WinsAbove will verify your stats using metadata (timestamps, deal values, owner IDs). It will not store the content of emails or notes in your CRM.

No data reselling, ever

WinsAbove is not a data broker. Customer lists, contact info, and performance data will not be sold to third parties or used to train third-party AI models.