Information Security
Security Controls are built into the WINDA code base or implemented outside WINDA and include the following:
Role-Based Access Controls (RBAC): Users are assigned one or more roles, permissions in the application are based on their role, in combination with data segregation, so only GWO Secretariat roles have access to data outside their own realm of data.
Upon registration, the User's email is used for a verification link sent to the email address the User is registered at (except for Training Provider Main, Admin and Billing contacts, which are roles for communication only; these roles do not grant login permissions).
Password recovery can only be performed for the email address the User is registered at. Passwords are stored with irreversible encryption (salted hash).
A WINDA ID is a uniquely generated ID assigned to Course Participants and used for identification with Training Providers, employers, duty holders and other relevant stakeholders without disclosing personal information.
The database(s) containing WINDA data is deployed behind a firewall.
The WINDA application and API are deployed behind a Web Application Firewall (WAF).
The WINDA API is exposed via an API Gateway separating and controlling API requests from the end user requests.
WINDA performs logging of changes and activities. Access to these logs is reserved for GWO use, when applicable.
All communication between WINDA and Users, as well as between WINDA and API consumers, is encrypted using TLS 1.3
The WINDA code, database and API gateway are deployed using Microsoft Azure services according to Platform as a Service principle.
WINDA code is regularly inspected for flaws, consistency and external package validity using code inspection tools.
Backup of data is implemented with standard Microsoft Azure services.
Data retention is automated and aligned with the published data retention periods.
Virus scanning of documents uploaded to WINDA is performed by standard Microsoft Azure services. Any infected document is quarantined.
Published on and valid from 20 January 2026