This is the page B2B buyers, auditors, and regulators ask for. It catalogs every framework we are working toward, every control we operate today, every subprocessor we rely on, and how to reach the security team. We mark each certification with its real status — never "certified" before an auditor has signed an attestation.
Last updated: April 15, 2026
Wag3s is in the early phase of formal third-party attestation. The status field below is updated as auditors complete each engagement. Until a status reads "certified" with an attestation date, the framework is informational — not a certified claim.
AICPA Trust Services Criteria
Scope Production platform serving Wag3s Ledger, Folio, and (post-launch) HR. Trust Services Criteria covered: Security, Availability, Confidentiality.
Notes Engagement scoped with a Big-4-tier auditor. Type I report targeted Q3 2026, Type II report 2026-Q4 covering a six-month observation period.
ISO 27001:2022
Scope Information security management system covering the production platform, customer data handling, and the Wag3s engineering organization.
Notes Internal ISMS (Information Security Management System) operational since 2025; external audit engagement targeted for Q1 2027.
EU 2016/679
Scope Customer data processing, subject rights workflows (access, deletion, portability), DPA execution, and EU-residency data handling.
Notes Wag3s self-assesses as GDPR-compliant. DPA available on request. EU-resident customer data is processed within the EU.
California Civil Code §1798.100
Scope California consumer rights handling for B2C users of Folio.
Notes Privacy policy discloses CCPA-required categories. Subject-rights requests answered within statutory windows.
EU Markets in Crypto-Assets (Regulation 2023/1114)
Scope Customer reporting outputs and data residency aligned with MiCA expectations for EU-touching DAOs and Foundations.
Notes MiCA does not certify accounting platforms directly, but Wag3s' reporting outputs are designed so that EU customers can include them in their own MiCA compliance posture. Formal alignment review targeted post-SOC 2 Type II.
These are the controls Wag3s operates as of the last-updated date — independent of formal certification status. They form the basis of the SOC 2 and ISO 27001 engagements above.
Read-only wallet connections via EIP-712 signatures. Wag3s never holds private keys.
Per-role permissions for every member of a customer organization. Permission matrix viewable from the dashboard.
Address handling normalized at every API boundary to prevent case-sensitivity bypass.
Redis-backed distributed locks on customer-data-mutating jobs.
AES-256 encryption on all customer data in PostgreSQL, with tenant isolation per customer.
TLS 1.3 on all public endpoints. HSTS enabled with `max-age=31536000` and `includeSubDomains`.
Every read and write is scoped by tenant identifier. Cross-tenant access is impossible at the database layer.
Point-in-time restore for the production database. Backups encrypted at rest, retention aligned with regulatory minimums.
Unified `apiOk` / `apiError` response format with Zod input validation on every endpoint.
CSP enforced on every response. `frame-src 'none'`, `object-src 'none'`, scoped script and style sources.
X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, HSTS — all enforced via Nuxt routeRules.
Automated CVE scanning on application dependencies via the package manager's audit pipeline.
All production changes go through code review and CI before deployment. No direct production access.
Every authenticated mutation produces an audit-log entry retained for the regulatory minimum.
Where on-chain anchoring is used (e.g. EIP-712 signed agreements), the signature and block reference are part of the audit trail.
Production data is hosted in EU data centers (primary region) with a documented secondary region for disaster recovery. EU customer data does not leave the EU at rest.
Customers own all data ingested by Wag3s. We do not sell, share, or use customer data for purposes outside the contractual scope of providing the service.
Access, rectification, erasure, portability, and objection handled per the published privacy policy. Subject-rights requests answered within the regulatory window for the relevant jurisdiction (typically 30 days under GDPR).
Customer data is retained for the contractual term plus the regulatory minimum (typically 5 years for accounting / tax records). Customers can export everything at any time and request deletion at termination.
A current list of subprocessors is published below. Customers can be notified when a new subprocessor is added under the data processing agreement.
This list is the current subprocessor set as of the last-updated date. Customers under a DPA receive notice before new subprocessors are added.
| Vendor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Production infrastructure, database hosting, storage | EU (eu-west-3, eu-central-1) |
| Cloudflare | Edge networking, DDoS protection, WAF | Global |
| Vercel | Marketing site hosting (wag3s.io). No customer data. | Global |
| Sentry | Application error monitoring | EU |
| Mobula | Crypto market data API | EU |
| Arkham Intelligence | Address-label database for transaction categorization | US |
| Resend | Transactional email delivery (account events, payroll receipts) | EU |
Vendor security questionnaires, audit observations, vulnerability reports, and DPA requests all land at the addresses below.
security@wag3s.io
privacy@wag3s.io
Reach out via /contact — we respond to vendor security questionnaires within five business days.
Up to $50,000 in USDC for qualifying smart-contract, DeFi, and platform vulnerabilities. Submit to security@wag3s.io with a 24-hour response SLA.
