Data & Security

Your emails never leave your building.

Most AI email tools route your messages through servers you don't control. W&S is different: the AI runs on hardware installed at your office. Your emails process locally. Your data stays with you.

How we handle your data

🏢

Your data stays at your office.

The AI automation we install runs on dedicated hardware inside your building. Your emails, your client names, your documents — none of it routes through our servers to reach the AI. It processes locally and stays local.

🔒

We don't store your email.

W&S does not receive, store, or analyze copies of your client communications. When we log in remotely to update your system, we connect to the automation configuration — not to your inbox or its contents.

🔑

You own the credentials.

Every OAuth token, API key, and access credential we configure is issued to you — not to us. If you cancel, you retain access to everything. We don't hold credentials you can't revoke.

📋

Remote access is scoped and logged.

When we connect remotely to update or improve your automation, we use a minimal-permission connection limited to the automation system. We document every remote session in a shared log you can review.

What we can honestly say

We don't make compliance claims we can't back up. Here is the plain-English status of every security posture a prospective client has asked us about.

Claim	Status	What it means
On-premises processing	Live	AI runs on hardware installed at your office. Emails never leave your building.
No W&S data storage	Live	We do not receive or store copies of your client emails or documents.
Credential ownership	Live	You hold all API keys and OAuth tokens. Fully revocable if you cancel.
Remote access logging	Live	Every remote session documented in a log shared with the client.
E&O insurance	In progress	W&S Consulting LLC is in formation. E&O coverage is being procured as part of the formation process.
AICPA SOC 2	N/A	SOC 2 is a cloud-provider certification. Our on-premises model means your IT or compliance team audits the box directly — there is no W&S cloud infrastructure to certify.
HIPAA	N/A	We do not handle Protected Health Information (PHI). If your firm does, contact us before onboarding — we will scope the engagement appropriately.

Why on-premises changes the security calculus

Cloud AI tools have one vendor controlling your data. You read their privacy policy, accept their terms, and hope for the best when there's a breach. Your data is part of a shared infrastructure someone else manages.

Our on-premises model means the threat surface is your office's physical security — the same threat surface your existing computers already live inside. If you have a breach, it's an IT incident at your firm, not a cloud vendor disclosure.

The tradeoff: you need us to come in person to install and maintain it. That's a feature, not a bug — it means we know exactly what we shipped, and so do you.

Security questions we get

What happens to my email data if I cancel?▾

Nothing — because we never had it. Your emails process locally on hardware at your office. Cancellation means we stop maintaining the automation. Your data stays exactly where it's always been: with you.

Can W&S read my clients' emails?▾

No. The AI automation runs at your office, not on our servers. We connect remotely to update configuration files — not to read inbox contents. The access is scoped and logged.

What if someone breaks into the hardware at my office?▾

Physical security of the hardware is your responsibility — same as any computer at your firm. We recommend standard office security practices (locked rooms, screen locks, disk encryption). The hardware is purpose-built for the automation; it does not contain general business files.

Do you use any third-party AI services?▾

The automation stack uses large language model APIs for email drafting. Outbound API calls are made from the hardware at your office. We disclose every third-party service in your engagement letter so you can evaluate each vendor. You can request a local-only model configuration that makes no external API calls — contact us for pricing on that configuration.

Is this appropriate for CPA firms with client PII?▾

Our on-premises model was designed with CPA firms in mind. Client names, TINs, and financial data remain in your office under your control. That said, your firm's data-handling policies govern the engagement — we recommend reviewing our scope with your compliance officer before onboarding.

Still have questions about data handling?

Book a 15-minute call. We'll walk through the exact data flow for your firm's setup — no slides, no disclaimers, just the real architecture.