One place for your family's records

Wholekin

Security controls

Secure, private, and built for sensitive family records.

Wholekin protects household data with tenant-isolated family workspaces, server-side authentication, database row-level security, Sophisticated Identity and Access Management, private infrastructure boundaries, encrypted storage practices, and disciplined change controls.

Security is part of the architecture
We use managed cloud services, explicit tenant boundaries, database row-level security policies, protected sessions, and quality gates so sensitive records are guarded by design and by process.
Row-level security enforces family boundaries below the application layer.
Identity, permissions, and sessions are treated as control systems.
Private records are not used to train foundation models.
Production infrastructure uses private database boundaries and managed secret storage.

Security at our core

Concrete controls behind the current implementation

Tenant-isolated family workspaces
Wholekin keeps each family's records in its own workspace, with access checked before sensitive data is read, changed, searched, or exported.

  • Family routes bind an active family context before data access.

  • Access decisions consider who is acting, what they are doing, which family owns the record, and which resource is involved.

  • Search, record history, and background processing preserve the same family boundary as normal app workflows.

Database row-level security
Row-level security enforces family boundaries inside the database, adding a final guard beneath application authorization and tenant-aware queries.

  • Policies are enabled and forced on family-scoped live records and audit history.

  • The backend binds active family, actor, and trusted-system context into database session state before SQL runs.

  • Missing tenant context fails closed, while rare cross-family system work requires an explicit trusted bypass path.

No model training on your records
Your family's records are not used to train AI models. Whoki only uses them to help you — with you in control.

  • Private family data stays tied to the workspace it belongs to.

  • AI assistance is designed around purpose limitation and clear user intent.

  • Document and record workflows preserve the privacy boundary of the family workspace.

Strong authentication and sessions
Identity, tokens, and browser sessions are handled as security controls, not convenience plumbing.

  • Authentication is delegated to Auth0.

  • The backend validates issuer, audience, and signing material before accepting tokens.

  • Session cookies are signed, HttpOnly, and marked Secure in production.

Sophisticated Identity and Access Management
SIAM gives principals, relatives, staff, and trusted advisors the right level of access without turning every collaborator into an all-access user.

  • Roles separate ownership, administration, membership, contribution, and viewing.

  • Permissions are evaluated against the person, action, family workspace, and record involved.

  • Cedar policy logic supports these decisions behind the scenes, while service safeguards protect critical invariants such as last-owner protection.

Protected infrastructure
Production runs on AWS with private data services, managed secrets, centralized logging, and clear network boundaries.

  • The primary database is not publicly exposed and runs in private isolated subnets.

  • Database credentials are generated and stored in managed secret storage.

  • Storage resources are configured with encryption and blocked public access by default.

Validation and change quality
Security includes the way software changes are introduced and checked before they reach users.

  • Frontend CI requires formatting, typechecking, linting, and a production build.

  • Backend CI runs formatting, static analysis, tests, and strict compilation checks.

  • Container repositories are configured for image scanning on push.

Audit-friendly records
A secure record system needs traceability, validation, and clean operational visibility.

  • Core managed records capture change history.

  • Validated request models protect important data boundaries.

  • Operational logging and container visibility are enabled for the running environment.

GDPR-aware data handling
Wholekin designs for purpose limitation, minimization, access rights, export, deletion, and privacy-aware operations for EU households and advisors.
EU AI Act aware governance
Whoki is built around clear purpose, transparency, and you staying in control of your family's records.
Least privilege
Tenant isolation, database row-level security, SIAM roles, and server-side policy checks keep access tied to explicit people, resources, and actions.

Continue your review

See how the security model supports trust.

The trust page explains our privacy, governance, database isolation, GDPR, and EU AI Act posture in broader terms for families and advisors.

Review trust postureRead privacy policy