Table of Contents
In this edition of The Founder Loop, we discuss how Unwrap approaches data security—end to end.
From infrastructure choices to access controls and encryption, we cover the principles and practices that guide how we keep sensitive information safe. It's a transparent look at the guardrails we’ve built to earn and keep user trust.
When companies give Unwrap access to their data, what do they typically want to know?
Ryan Millner: “The common questions we get are: how is their data going to be used? What geographic region is it stored in? What cloud provider do we use? Is their data used in training future AI models? And, who are the subprocessors that may have access to this data?
All of that's covered in our Security FAQ, in detail.”
What security measures does Unwrap have in place to protect customer information?
Millner: “This is the thing we take most seriously at Unwrap—data security. Because of that, we’ve spent a lot of time making sure we are best-in-class.
We are SOC 2 Type II compliant, which is the industry standard for data security. We undergo regular penetration tests from a third party—meaning we invite third parties to come in and evaluate our security—and we share those reports with customers.
We have constant, always-on vulnerability management, consistently scanning for data vulnerabilities and patching those when necessary. As a result, we're trusted by top public financial institutions, healthcare companies, and companies that have the most sensitive data—all because of the work we’ve put in to earn that trust.”
How does Unwrap ensure compliance with data regulations like GDPR or SOC 2 Type II?
Millner: “Each type of compliance standard has an accreditation system that you have to go through—which we do. We regularly undergo third-party audits and certification processes to maintain compliance.”
How does access control work in Unwrap?
Millner: “We have a pretty granular permission system in Unwrap, which dictates who has access to what data and if they have the ability to edit data in the platform. Someone can have read and write access at every cut of data essentially (like I said, granular). That’s all owned and configured by the admins of a customer’s Unwrap instance.”
What is Unwrap’s approach to transparency around security practices?
Millner: “Again, data security is one of the things we take most seriously at Unwrap. All of our reports from third-party penetration tests, our SOC 2 Type II report, are all readily available upon request.
Usually, we’ll also undergo a security consultation during the POC process. If there are any unanswered questions around how we process data, or you want to get more in the data weeds, we set up a call with our CTO. We’ll walk through all the relevant questions to make sure folks are completely comfortable.”
Security is a big reason companies hesitate to adopt AI tools. How does Unwrap earn that trust?
Millner: “It’s all rooted in what we’ve talked about so far. One way is just checking the boxes that InfoSec teams care about: PII redaction, SOC 2 Type II compliance, GDPR compliance—those are just non-negotiables.
We're transparent and willingly share out all our reports, And finally, we’ve earned the trust of pretty big-deal companies—like Microsoft, Whoop, Oura, and Collective Health. That goes a long way with getting other teams onboard because they know they’re in good hands.”
