Security & trust.

Procurement-grade reference · Last reviewed 2026-04-30

Wrendex audits your site’s technical SEO posture. Doing that well means we look at every page on your origin, store crawl results, and email or page on-call when a regression appears. The pages below describe how we handle your data, how we authenticate access, who our sub-processors are, and how to report a vulnerability.

Sec. S.01 · Compliance ◊Frameworks & certifications in-progress states are flagged

SOC 2 Type II

In progress

Wrendex is in the observation period for SOC 2 Type II. We do not yet hold a SOC 2 Type II report. Customers under NDA can request our current control documentation, gap-analysis status, and target completion date from .

GDPR

Compliant today

We process customer-controller data as a processor. Our Data Processing Addendum is available at /legal/dpa. EU-resident data lives in our US-East region today; EU-West region is on the Q3 2026 roadmap.

CCPA

Compliant today

California residents have the right to access, correct, and delete personal information we hold; see /legal/privacy. We do not sell personal information.

DPA template

Available on request

A pre-signed DPA based on the EU Standard Contractual Clauses is available at /legal/dpa. We will counter-sign a customer’s DPA on request, subject to legal review.

Sec. S.02 · Data handling ◊What we collect, how it’s stored AES-256 at rest · TLS 1.3 in transit

What we collect

URLs you ask us to audit, plus the HTML, headers, and resource list returned by each crawl.
Account information: email, name, workspace name, billing details (handled by Stripe).
Audit metadata: schedules, alert rules, share-link grants, member roles.
Telemetry: high-level usage events from the marketing site and dashboard, used to improve the product.

How it’s stored

At rest. AES-256 encryption with envelope keys managed by AWS KMS. Database snapshots, logs, and backups inherit the same encryption.
In transit. TLS 1.3 enforced on every public surface. Internal service-to-service traffic uses mTLS.
Region. US-East today (us-east-1); EU-West region scheduled for Q3 2026. Customers on Pro and above may pin their workspace region at creation.
Retention. Crawl results retained per plan (Starter: 30 days; Pro: 1 year; Agency: unlimited). Backups rotated on a 30-day window.

Sec. S.03 · Authentication ◊Sign-in & access JWT · 2FA · SAML

Sessions. JWT-backed sessions, default 7-day expiry, rotating refresh on activity. Logout revokes the refresh token immediately.
2FA. TOTP authenticator-app 2FA on every plan; recovery codes on enrolment. Workspace owners may enforce 2FA for all members.
SAML SSO. Available on the Agency tier. Tested with Okta, Azure AD, and Google Workspace.
API tokens. Per-user, scoped, revocable, audited. Tokens are stored hashed; the plaintext is shown once at creation.
Audit log. Sign-ins, permission changes, and export events logged per workspace; retention follows the plan’s history retention.

Sec. S.04 · Sub-processors ◊Third parties that touch customer data full list at /legal/sub-processors

Stripe (billing), AWS (hosting), MongoDB Atlas (production data store), Postmark (transactional email), Sentry (error monitoring). Our complete and current sub-processor list, including processing purpose and data region, lives at /legal/sub-processors.

Sec. S.05 · Vulnerability disclosure ◊Reporting a security issue 90-day disclosure window

We take security reports seriously. If you believe you’ve found a vulnerability in any Wrendex product or surface, please contact us privately first. We commit to:

Acknowledging your report within two business days.
Investigating and providing a meaningful update within seven business days.
Coordinating a public disclosure within a 90-day window after a fix has shipped.
Crediting you in the release notes (or omitting your name on request).

Contact

Email . PGP key on request from the same address (PGP-key-fingerprint placeholder, replaced when production key is published).