Wam
§ Security

Bank-grade. Bulletproof.

Wam handles real money for real people in the Caribbean. We’re licensed by the Central Bank of T&T, audited annually, and built so the wrong person can’t touch your money — and the right person leaves a receipt every time they do.

CBTT EMI + PSPTTSEC VASP SandboxCybersource (PCI DSS L1)TLS 1.3 in transit
EncryptedMFAAudit-loggedPCI L1
§01 · Regulation

Your money is licensed and supervised.

Wam is a licensed Electronic Money Institution and Payment Service Provider regulated by the Central Bank of Trinidad & Tobago. Customer funds are held in segregated accounts — they're never on Wam's balance sheet and never used to fund Wam's operations.

  • Segregated customer fundsYour TTD and USD balances live in supervised holding accounts that the CBTT can inspect at any time.
  • Internal review against SOC 2 controlsContinuous internal review against SOC 2 controls. Wam's own SOC 2 attestation is in progress; identity and session management already run on Auth0 (SOC 2 Type II + ISO 27001).
  • Real partners, real licensesUSD accounts and card issuing go through fully regulated US money-transmission partners. Card processing through Cybersource (PCI Level 1).
TT
Central Bank of Trinidad & Tobago
Licensed EMI + PSP · Reg. supervised
Customer fundsSegregated · supervised
Wam SOC 2Attestation in progress
AML / KYCVeriff + Chainalysis + TRM
Card dataCybersource (PCI DSS L1)
§02 · Sign-in

Biometric by default. PIN as the backup.

Face ID or fingerprint to unlock the app. PIN as the fallback. Wam users never type a password to open the app. Auth0 handles identity end-to-end with MFA enforced on every sensitive change.

  • Biometric on every deviceFace ID, Touch ID, or fingerprint to open the app. The biometric never leaves your device.
  • 2FA on every sensitive actionLogin from a new device, password reset, large transfers, card freezes — all gated by a second factor.
  • Auth0 (SOC 2 Type II, ISO 27001)Identity, MFA, session management. Same auth infrastructure used by 7,000+ enterprises including Mozilla and JetBlue.
Welcome back, Amara
Look at your phone to unlock
Use PIN instead
§03 · Live alerts

Every transaction. The moment it happens.

Every payment, top-up, card swipe, withdrawal, and login from a new device pings your phone in real time. You see the merchant, the amount, and your remaining balance before your card has cleared the till.

  • Push notifications under 2 secondsWhether someone's paying you, you're paying them, or your card is being used somewhere unexpected.
  • New-device sign-in alertsA new device logs in? Both devices get notified. You can revoke the new one with one tap.
  • Suspicious activity flaggingUnusual amounts, unusual countries, unusual frequency — flagged automatically and surfaced for review.
+
Maya paid you
12:14 · @mayac · 2 sec ago
+$45.00
Card used at Netflix
12:38 · USD · subscription
−$15.49
!
Sign-in on new device
12:41 · Samsung Galaxy · Port of Spain
Review
§04 · Card control

Freeze your card in one tap.

Lost the phone in a maxi? Card details leaked from a website? Freeze instantly from any other device, and every transaction stops the moment you confirm. Unfreeze when you're ready. No call centre, no waiting for a new card to arrive.

  • Freeze + unfreeze, both instantLock the card from any device where you're signed in. Reauthorisation kicks in the second you unlock it.
  • Per-category controlsBlock international, block ATMs, set daily caps, set merchant-category limits. All from the app.
  • Virtual Visa reissue in secondsAvailable to TTSEC VASP Sandbox-pilot users today; rolling out to all users. The physical card is mailed; while you wait, the virtual works in Apple Pay and Google Pay everywhere.
Wam · Visa
❄ Frozen
•••• •••• •••• 9024
Cardholder
AMARA JONES
VISA
✓ Card frozen 2 minutes ago · 0 attempted authorisations since
§05 · Privacy

Hide your balances. Hide your activity.

Tap-to-hide your balance on the home screen so a casual glance doesn't show your money. Receipt notifications keep merchant names short. Your transaction history is yours — no third-party advertiser sees it, ever.

  • Tap-to-hide balancesToggle visibility on the home screen with one tap. Comes back when you ask, not before.
  • No transaction data sold or sharedWe don't sell, rent, or share your activity with advertisers, data brokers, or third-party marketers. Ever.
  • Privacy by designSentry, our error tracker, strips PII in the beforeSend hook. Analytics never get full transaction context. The right people see the right things — and that's it.
Available balance
••••••
Tap the eye to show your balance.
•••• ••••• ••••
−•••.••
•••••, •••• •.
+••.••
Privacy mode is ON · No data shared
§06 · Under the hood

For the procurement reviewer in the room.

The dense version. How operator access works, how the ledger is protected, how secrets and card data are handled.

Enterprise SSO for every operator

Every admin and operator signs in through Auth0, gated by our corporate Google Workspace domain, with MFA enforced on any access to production systems. No shared logins, no long-lived service credentials.

Role-based admin controls

JWT claims carry least-privilege roles. Sensitive actions require a second approver. Every admin action is attributed to a named operator in an immutable audit log.

  • Two-admin control on treasury moves over $10,000
  • Two-admin control on cross-chain rebalances over $100,000
  • Device fingerprint + IP binding on admin sessions

Encryption + secrets

TLS 1.3 in transit. Provider-managed encryption at rest (Cloud SQL, Hasura Cloud, Cybersource for card data). Secrets live in Google Cloud Secret Manager and are only readable by the service account that needs them. Never in source, never in client code.

Immutable financial ledger

Our ledger is append-only at the database level. PostgreSQL triggers reject UPDATE and DELETE on ledger entries; balance history is reconstructable from the underlying journal. Reconciliation runs continuously — macro (system-wide) and micro (per-wallet).

Card data, out of scope

Card numbers never touch Wam infrastructure. Cybersource Microform tokenises the PAN in your browser and hands us a single-use token. Our PCI compliance scope is SAQ-A — the smallest possible — because we made the choice to never see the card.

24/7 monitoring

Every service publishes /health and /ready endpoints. Cloud Monitoring tracks uptime, 5xx rate, and p95 latency and pages on breach. Unhandled exceptions flow to Sentry with PII scrubbed in the beforeSend hook.

Full sub-processor list, certifications, incident response, and responsible disclosure contact — on the /trust page.

§07 · Certifications & standards

What we’re audited against.

CBTT EMI + PSP
WamNow Technologies Limited — licensed by the Central Bank of Trinidad & Tobago
Identity: Auth0 (SOC 2 Type II)
Authentication and session management. SOC 2 Type II + ISO 27001 certified vendor.
PCI DSS · SAQ-A (Wam scope)
Card data tokenised at Cybersource (PCI DSS Level 1 service provider). No PANs on Wam systems.
TLS 1.3 in transit
HSTS preload, modern cipher suites. Encryption at rest provided by Google Cloud SQL, Hasura Cloud, and Cybersource.
Sanctions: Chainalysis + TRM Labs
Every crypto deposit address and withdrawal destination screened against OFAC + sanctions lists.
Wam SOC 2: in progress
Wam's own SOC 2 attestation is underway; we'll publish the report when it lands.
§08 · FAQ

The questions people actually ask.

What happens to my money if Wam goes out of business?

Customer funds are held in segregation under the CBTT's EMI safeguarding rules. They sit in supervised holding accounts that are not available to Wam's creditors in an insolvency. This is not deposit insurance — there is no Deposit Insurance Corporation cover for e-money in Trinidad & Tobago.

What if someone steals my phone?

Sign in to Wam on any other device (or use the web at wam.money). Revoke the lost device from settings, freeze your virtual Visa, and change your PIN. New-device login itself requires a second factor and a biometric on the new device, so even with the physical phone, an attacker can't open your Wam without your face/fingerprint and a code sent to your number on file.

Is my data sold or shared with advertisers?

No. We don't sell, rent, or share your transaction data with advertisers, data brokers, or third-party marketers. Vendor data sharing is limited to what's necessary to run the product (Cybersource for card processing, Auth0 for identity, Veriff for KYC, etc.) — full list on the /trust page.

How are my funds protected from fraud?

Multiple layers. Auth0 with MFA on account login. Biometric to open the app. 2FA on sensitive actions (transfers above your daily threshold, card changes, settings changes). Real-time fraud signal scoring on every transaction. Per-category and per-amount card controls you set yourself. Address screening (Chainalysis + TRM Labs) on every crypto deposit and withdrawal.

Can a Wam employee see my balance or transactions?

Only operators with a specific role need (compliance, customer support) can see account data, and only the data their role requires. Every read of your data is logged with the operator's name in an immutable audit log. Sensitive actions (large transfers, treasury moves) require two-admin approval and are also audit-logged.

How does freeze work, exactly?

Freeze instantly blocks new authorisations against your virtual Visa card. Any merchant attempting to charge gets declined the moment you confirm. Unfreeze reverses it. Existing pre-authorisations (a hotel hold, for example) are not affected — those are visible separately in card settings, and you can dispute or release each one.

What's the difference between /security and /trust?

/security is what protects you as a user — biometric login, freeze, alerts, fraud monitoring. /trust is the operator / procurement-facing detail — sub-processor list, certifications, incident response, responsible disclosure. They're meant to be read by different audiences.

I think I found a vulnerability. Who do I tell?

Email security@wam.money. We follow a 90-day responsible-disclosure timeline and credit researchers in our security advisories where requested. Details on the /trust page.

Money you can trust. One you can use.

Open a Wam in 30 seconds. Every protection on this page is on by default. Nothing to configure, nothing to opt into.