Security

How WHIG protects what you own

For the technically minded. Plain language, no hand-waving.

The short version

• Your finished inventory is encrypted with a key only you hold. We cannot read it.
• Our database never receives item names, brands, or values, only room labels and cryptographic hashes.
• Your walkthrough video is processed in an isolated environment, then deleted, within the hour and always within 24 hours.
• The Evidence Package is signed so it is tamper-evident and can be verified independently of WHIG.

Below is the honest, detailed version, including the one window where the video is readable, because we would rather tell you than have you find out.

How your walkthrough flows

1. You record. The walkthrough is captured on your phone and uploaded over an encrypted connection (TLS).
2. We process, in isolation. To turn video and speech into an inventory, the pipeline has to read the walkthrough. This happens in an isolated processing environment, not in our database, and the files exist only for as long as processing takes. This is the one window where the content is readable. We are explicit about it because a claim that we “never see anything” would be untrue.
3. You receive. Your inventory is encrypted on your device and delivered to your own storage (Google Drive, iCloud, your device, or your own S3).
4. We delete. The video and every derived working file are deleted as soon as your inventory is delivered, within the hour, with a storage lifecycle rule that hard-deletes anything missed within 24 hours, even if processing fails.

Encryption and keys

Your inventory is encrypted on-device with a 256-bit key (AES-256-GCM). That key is generated on your phone, protected by your device and Face ID, and is never transmitted to WHIG. We do not hold it and cannot derive it, so we cannot decrypt your inventory.

Recovery works from a passphrase only you know (a PBKDF2-derived key wrapping your inventory key). If you lose both your device and your passphrase, not even WHIG can recover your inventory. That is the trade-off of real privacy, and it is deliberate.

What is on our servers, and what is never on them

Our database (Supabase) holds only the minimum needed to run the service:

• Your account and processing-minutes balance.
• Room labels and non-sensitive session metadata.
• Anonymised category aggregates, never tied to you, used to improve regional estimates (and only once a bin has enough samples to be non-identifying).
• Cryptographic hashes and signatures that prove your record is genuine.

It never holds item names, brands, model numbers, individual values, your transcript, or images of your items. By design, our database physically cannot contain a description of what you own. If WHIG were breached, the exposed data would be room labels and hashes, nothing that reconstructs your home.

The Evidence Package seal

As your walkthrough is processed, each step produces a SHA-256 hash of its output. Each hash is signed at the time it happens with an asymmetric key (ECDSA, NIST P-256) whose private half lives in AWS KMS and is never exported. The result is a chain of signed, timestamped fingerprints: a tamper-evident record of when your inventory was produced and that it has not been altered since.

The Evidence Package carries these signatures, so the seal can be verified independently of WHIG, by you or by an assessor. Paste your package’s inventory.json at whig.app/verify to check every signature against our published public key, right in your browser. Nothing is uploaded.

What WHIG is not

WHIG produces estimates and documentation, not professional valuations. Specialist items (jewellery, art, watches, antiques) are flagged for a qualified valuer rather than guessed at. The Evidence Package proves what you recorded and when. It does not replace a formal valuation where one is required.

Questions, or a responsible-disclosure report? hello@whig.app.