Security · Trust

Trust & Security

Last updated: June 9, 2026

SOC 2 Type II: actively pursuing. We are audit-ready; the report is not yet available. We will post it here when the attestation is complete.

Overview

Wentzel Investments LLC (trading as Wentzel.ai) builds and operates a portfolio of specialized SaaS platforms for regulated industries. Protecting the confidentiality, integrity, and availability of the data you entrust to us is a core obligation — not a feature.

This page describes our current security posture, the status of our formal certification programme, how we handle your data, the sub-processors we rely on, and how to reach us if you discover a potential vulnerability.

SOC 2 Type II certification status

Wentzel Investments LLC is actively pursuing SOC 2 Type II certification under the AICPA Trust Services Criteria. Our SOC 2 audit programme is currently in progress.

We do not hold a SOC 2 Type II report at this time. We describe our posture as audit-ready and in-progress — not certified. We will post a link to the report (or a summary for prospects under NDA) on this page when the attestation is complete.

We expect to complete our SOC 2 Type II audit in 2027.

Infrastructure & data security

Our production workloads run primarily on Cloudflare Workers, with Cloudflare D1 (SQLite) for structured data and Cloudflare R2 for object storage. Regulated healthcare pathways, batch genomics pipelines, and transactional email run on Amazon Web Services (SES, S3, Batch, Secrets Manager). Select products use Neon (managed Postgres) during migration.

All data in transit is encrypted with TLS 1.2 or higher. Data at rest is encrypted by the storage platform (AES-256). Production systems follow least-privilege access; employee access is reviewed quarterly. We enforce per-product database isolation so one product's data is never accessible from another product's runtime.

Encryption in transit — TLS 1.2+ on all public endpoints.
Encryption at rest — AES-256 by the underlying storage platform.
Least-privilege access — scoped IAM roles / Cloudflare API tokens; no standing production write access.
Per-product isolation — separate D1/R2/database instances per product slug.
Secret management — runtime secrets managed via Cloudflare Worker Secrets and AWS Secrets Manager; never committed to source control.

Data handling

We process personal data only to deliver the services you have requested, to keep them secure, and to comply with legal obligations. We do not sell personal data, and we do not use customer content to train shared or third-party models.

Data is retained for as long as your account is active or as needed to meet legal and audit-evidence obligations. Following account termination we make customer data available for export for 30 days, after which we delete it unless required to retain it by law.

Sub-processors

We engage the following sub-processors to deliver platform services. All sub-processors are under contract requiring appropriate confidentiality and security measures.

Cloudflare, Inc. (United States) — edge compute (Workers), CDN, D1 database, R2 object storage, DNS, DDoS mitigation.
Amazon Web Services, Inc. (United States) — transactional email (SES), object storage (S3), batch compute (Batch), secrets (Secrets Manager).
Stripe, Inc. (United States) — payment processing for products with paid plans.
TODO: [Product-specific sub-processors — audit each product before public launch and list here].

Reporting a security issue

If you believe you have found a security vulnerability in any Wentzel platform product, please report it responsibly. We will acknowledge your report within two business days and aim to resolve confirmed issues within 30 days, depending on severity.

Please do not publicly disclose a vulnerability before we have had the opportunity to investigate and remediate. We do not currently operate a formal bug-bounty programme, but we will acknowledge researchers who responsibly disclose valid findings.

Email security@wentzel.ai to report a potential vulnerability.