Skip to main content

Security & Confidentiality

Elie Mietkiewicz avatar
Written by Elie Mietkiewicz
Updated this week

Operations Security Overview

The infrastructure used by Wonda is hosted on Google Cloud Platform (GCP), where we utilize managed cloud services for our application’s needs (for example: Google Cloud SQL for databases, Google Cloud Storage for file storage). Since these are managed services, they inherently benefit from the security measures implemented by those providers. Google Cloud’s data centers have extensive security controls (perimeter security, biometric access controls, redundancy, etc.), and Google regularly undergoes security audits and certifications. We inherit these protections by running on GCP. For more details, see Google Cloud Security Terms.

From an application perspective, we implement additional security measures on top of GCP’s baseline:

  • Environment Separation: Testing and development environments are separated from the production environment to prevent test code or data from affecting real users. Access keys and credentials are different for each environment.

  • Patching and Updates: We keep our servers and dependencies updated. Because we use managed services (e.g., App Engine, Cloud Functions), many infrastructure patches are handled by Google automatically. Our team focuses on promptly applying updates for the application code and any third-party libraries.

  • Monitoring: We employ monitoring services to track the health and performance of the Wonda Platform. Unusual activity, such as spikes in errors or unusual network traffic, triggers alerts for our engineering team to investigate potential security issues.

What kind of privacy and security policy do you provide for my projects?

For data transfers, Wonda uses modern security protocols. All uploads and downloads of content between your device and Wonda’s servers are done over HTTPS (TLS encryption). This means that when you upload videos, images, or any data to Wonda, that data is encrypted in transit so no one can intercept it.

Our system generates a time-limited, unique signed URL for each upload/download action. This signed URL ensures that only someone with the exact URL (which includes a secure token) can perform that upload or download, and it expires after a short period. This protects your media content: even if someone somehow obtained an old link, it would no longer work after expiration.

All experiences and simulations you create in Wonda are private by default.

They are not listed publicly anywhere. Similar to an “unlisted” YouTube video, an experience is only accessible to people with whom you share its unique link or QR code:

  • If you do not share the link or QR code of your project, then nobody else can access it. Wonda will not index or publish your private projects.

  • If you do share the link (or embed the experience somewhere), anyone with that link can view the experience, unless you’ve applied additional restrictions (see below).


For additional security, Wonda allows you to restrict access to your experiences to specific users or groups:

  • Organization-Only Access: You can set an experience so that only logged-in users who are members of your organization’s Wonda workspace (your Hub) can access it. If someone outside tries to use the link, they will be denied.

  • SSO (Single Sign-On): Wonda supports SSO integration. If enabled, only users authenticated through your organization’s identity provider can access the Wonda environment. This means the experience link will prompt users to log in via your corporate login. Unauthorized users can’t get in without valid company credentials.

  • LTI Integration: If using Wonda through a Learning Management System (via LTI), access to the simulation can be limited to those coming through the LMS. Students click a link in the LMS and are seamlessly logged into Wonda – others who don’t go through the LMS cannot access that simulation.

  • Invite-Only Spaces: Within Wonda, you can invite specific individuals by email to join a particular collaborative space or project. Only those invited (and logged in) can see the content of that space.


In summary, we provide multiple layers – link security, domain authentication, SSO, LTI, invite-only – to ensure that you control exactly who can access your Wonda projects. We encourage project creators to utilize these features, especially for sensitive content, to enforce confidentiality.

How does Wonda use AI features, and how is my data handled when using them?

Wonda offers certain features powered by artificial intelligence (AI) services to enhance the learning experience (for example, automatic speech-to-text transcription of a user’s spoken answer, or AI-generated feedback and evaluation of learner’s performance within the simulation).

We integrate with specialized third-party AI providers to deliver these features securely. Here are the key points of our AI usage and the data privacy measures in place:

  • Third-Party AI Services Used: Wonda currently utilizes OpenAI's LLMs for text-based AI functions (e.g., the GPT-4 model for generating conversational responses or evaluating answers, and the Whisper model for transcribing audio to text) and ElevenLabs for voice generation (converting text to a natural-sounding voice audio).

    These AI platforms act as subprocessors for Wonda specifically for AI-related functionality. We include them in our Subprocessors list (see the list of “Subprocessors”) for full transparency.

  • Data Minimization with AI: When an AI feature is used, we send only the necessary data to the AI provider. We do not send any personal identifiers like the learner’s full name, email, or other profile info.

    For instance, if a learner’s spoken answer is being transcribed, we send the audio clip but not the learner’s identity. If an answer text is being evaluated by the LLM, we send the answer and necessary context (like the question text or scoring rubric), but no info about the person who wrote it. We design the API calls to the LLM to focus on the task (e.g., “Provide feedback on this answer: ...”) without including unrelated personal data.

  • AI Providers’ Use of Data: The third-party AI providers process our requests and send back results, but do not use our users’ data to train their models. OpenAI’s policy for its paid API service (which we use) is not to utilize API data for training by default, and our contract with them reinforces this. ElevenLabs similarly does not retain or learn from the content we send through their API.

    This means that, for example, a paragraph a learner wrote and which is sent to the LLM for feedback will not appear in future LLM outputs to other users, and it isn’t added to OpenAI’s training set.

  • Transient Processing: Data sent to the AI providers is handled on-the-fly. OpenAI and ElevenLabs process the input and return the result to the Wonda platform in real time. They do not store the input or output on their side beyond the short time needed to perform the operation.

    Within the Wonda platform, the outputs generated by the AI providers (transcriptions, feedback text, generated audio) are stored as part of the learning session records (so that, for instance, a teacher can review what feedback was given to a student, or a student can playback the generated voice response). The original inputs to the AI (like the audio file or text snippet) are typically already part of the simulation record in Wonda, but they are not separately stored by the AI providers. If needed, an organization can request deletion of AI-generated content in line with data deletion policies.

  • Human Oversight: AI features in Wonda are tools to assist educators, instructors, managers and learners, not to replace them. Whenever AI generates an evaluation or feedback, instructors have the ability to review and override it. For instance, an instructor can see the AI-generated feedback on a dashboard and choose to modify or annotate it before it’s shared with the learner (or turn off AI feedback for certain questions altogether).

  • Compliance and Legal Considerations: We have taken legal steps to ensure AI usage is compliant with privacy regulations and put a Data Processing Addendum in place with OpenAI and ElevenLabs. Also, because these AI services may operate on servers in the United States, we are in the process of incorporating the EU Standard Contractual Clauses into our agreements with them to lawfully cover cross-border data transfer.

    In the future, as mentioned in our roadmap, we are exploring EU-hosted AI solutions to offer an option with no transatlantic data flow.

  • Security of AI Requests: All communications with the AI provider APIs are encrypted (HTTPS). API keys used to authenticate to these services are stored securely in our system and are not exposed to end-users.

    Only our servers can call the AI APIs using those keys. We also implement rate limiting and logging for these calls. Logs of AI API usage do not contain the actual user input text or audio; they might contain metadata like “Generated feedback for question ID X at time Y.” The content itself is stored on our side as part of the simulation record (under the same protections as the rest of your content).

In summary, the Wonda platform’s use of AI is designed to boost learning outcomes while respecting privacy and security.

We understand that AI in education/training is a new area that invites scrutiny. We remain committed to transparency (we can provide documentation on how AI is used in the Wonda platform) and to giving our clients control (features can be toggled, and data can be deleted or retained according to your policies).

If you have further questions about AI usage, we’re happy to discuss and even tailor the configuration to meet your organization’s needs.

Information systems access control policy

At Wonda, we don’t maintain our own physical data centers; instead, we leverage infrastructure from cloud providers like Google Cloud Platform (GCP) which adhere to high security standards. Our entire platform is hosted on GCP, which provides robust built-in access control mechanisms.

We utilize GCP’s identity and access management features so that only authorized engineers and services can access production systems.

Some key aspects of our access control:

  • Principle of Least Privilege: Administrative access to cloud resources is limited to a few senior engineers. Each team member is given the minimum level of access required for their role.

  • Account Management: We use centralized account management for our cloud services. As described in Accounts Management, when a team member leaves or no longer needs access, their accounts and keys are promptly revoked. This includes revoking any API keys or access tokens that were assigned to them.

Additionally, GCP’s environment offers features such as:

  • Multi-factor authentication for admin accounts.

  • The ability to immediately revoke credentials or shut down access if a security concern is detected.

  • Network-level firewalls and security groups that restrict access to our databases and servers to only the necessary components.

By relying on GCP and similar providers, Wonda ensures that our infrastructure benefits from world-class physical security and access management practices (as documented in the Google Cloud Security Terms).

Accounts management

At Wonda, employee accounts are managed by a designated administrator (usually the most senior person responsible for the service within the company).

When a new employee joins the company, an enterprise Google Workspace (formerly Google Apps for Business) email account is created for them by an administrator. All other necessary service accounts (for Wonda and related tools) are then created using that company email address.

When an employee leaves the company, their access to Google Workspace is revoked, and then the administrator revokes their accounts in all other services (including their Wonda account and any related developer or support accounts). This off-boarding process ensures the former employee can no longer access any company data or systems via Wonda. When an administrator leaves, a new admin is appointed, and then the departing admin’s account is similarly revoked to maintain continuous oversight. These procedures help enforce a strict access control policy for all our internal accounts.

Password management program

We use Dashlane to securely manage our passwords.

Dashlane is an enterprise-level password manager that enables employees to:

  • Generate unique strong passwords for each site or service

  • Easily use these passwords when required in order to reduce the friction to adopt strong passwords (dedicated mobile apps, auto-login and auto-fill features, …)

  • Separate personal and work accounts and passwords

Dashlane also offers a range of features that improve the security at the company level:

  • Remote deprovisioning of employees accounts when they leave the company

  • Sharing passwords securely between team members with the possibility to revoke them

  • Monitor the team security score with tips on how to improve it

By using a password manager, we greatly reduce the likelihood of weak passwords or password reuse compromising our systems. This is an important part of Wonda’s defense-in-depth strategy for security.

Did this answer your question?