// Trust & Security Report

    Wingify (VWO) logo

    Wingify (VWO)

    VWO digital experience optimization platform (A/B testing, behavioral insights, feature rollouts, personalization, customer data platform)

    Certifications held

    12

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Wingify has comprehensive privacy and security assessments and certifications performed by third parties. Such certifications include ISO 27001:2022 ISMS, ISO 27701:2019 PIMS, ISO 27017:2015 Cloud Security, ISO 27018:2019 Cloud Privacy, PCI DSS v4.0.2, SOC 2 Type II etc.

    Verify on vwo.com
    ISO 27001:2022
    HELD

    Such certifications include ISO 27001:2022 ISMS, ISO 27701:2019 PIMS, ISO 27017:2015 Cloud Security, ISO 27018:2019 Cloud Privacy, PCI DSS v4.0.2, SOC 2 Type II etc.

    Verify on vwo.com
    ISO 27701:2019 (PIMS)
    HELD

    Such certifications include ISO 27001:2022 ISMS, ISO 27701:2019 PIMS, ISO 27017:2015 Cloud Security, ISO 27018:2019 Cloud Privacy, PCI DSS v4.0.2, SOC 2 Type II etc.

    Verify on vwo.com
    ISO 27017:2015 (Cloud Security)
    HELD

    Such certifications include ... ISO 27017:2015 Cloud Security, ISO 27018:2019 Cloud Privacy, PCI DSS v4.0.2, SOC 2 Type II etc.

    Verify on vwo.com
    ISO 27018:2019 (Cloud Privacy)
    HELD

    Such certifications include ... ISO 27018:2019 Cloud Privacy, PCI DSS v4.0.2, SOC 2 Type II etc.

    Verify on vwo.com
    PCI DSS v4.0
    HELD

    Compliance offerings listed on the Wingify Trust Center include: SOC 2, PCI DSS V4.0, ISO 27001:2022, ISO 45001:2018, ISO 14001:2015 ESMS, ISO 27701:2019, ISO 27017:2015, ISO 27018:2019, CSA STAR, HIPAA, GDPR, CCPA.

    Verify on trust.wingify.com
    HIPAA
    HELD

    Wingify Trust Center Compliance list: ISO 45001:2018, ISO 14001:2015 ESMS, HIPAA, SOC 2, GDPR, ISO 27001:2022, PCI DSS V4.0, CCPA, CSA STAR, ISO 27017:2015, ISO 27018:2019, ISO 27701:2019.

    Verify on trust.wingify.com
    CSA STAR
    HELD

    Wingify Trust Center Compliance list includes: ... CCPA, CSA STAR, ISO 27017:2015, ISO 27018:2019, ISO 27701:2019.

    Verify on trust.wingify.com
    ISO 45001:2018 (Occupational Health & Safety)
    HELD

    Wingify Trust Center Compliance list includes: ISO 45001:2018, ISO 14001:2015 ESMS, HIPAA, SOC 2 ...

    Verify on trust.wingify.com
    ISO 14001:2015 (Environmental Management)
    HELD

    Wingify Trust Center Compliance list includes: ISO 45001:2018, ISO 14001:2015 ESMS, HIPAA, SOC 2 ...

    Verify on trust.wingify.com
    GDPR (compliance posture, not a certification)
    HELD

    ISO 27701:2019 Datenschutz Managementsystems ... & Einhaltung der DSGVO-Verordnung. Folgende Zertifizierungen belegen unsere DSGVO-Konformität: ISO 27701:2019, ISO 27001:2013, SOC 2 Typ II.

    Verify on vwo.com
    CCPA (compliance posture, not a certification)
    HELD

    As part of our commitment to privacy, we made a number of investments and improvements to our data handling practices to support CCPA and the privacy rights of individuals.

    Verify on vwo.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Customer-selectable GCP region at account setup: europe-west1 (Belgium/EU), us-east4 (N. Virginia/USA), or asia-south1 (Mumbai/India). EU selection keeps visitor/user data in the EU only.

    Responsible AI Policy states: 'No AI model training using Customer Personal Data: Customer Personal Data is never used to train any AI or large language model.' VWO Copilot is powered by third-party AI models including OpenAI LLMs, Google Gemini, and image-generation models. AI features use Privacy-Enhancing Technologies (PETs), encryption in transit and at rest, plus anonymization/pseudonymization. Every AI suggestion requires human validation before implementation; no automated decisioning affecting individuals without human oversight.

    // Security controls

    Hosting / infrastructure

    All customer data hosted on Google Cloud Platform (GCP). 'Kein Mitarbeiter von VWO kann physisch auf die Daten zugreifen' (no VWO employee can physically access the data). Sub-processors: Google Cloud, Cloudflare (CDN, global), Amazon Web Services (USA).

    trust.wingify.com

    Encryption

    Encryption in transit and at rest (PCI scope: 'Verschluesselung von Daten in Bewegung und im Ruhezustand'). Data-at-rest encryption applied based on sensitivity. AI features use strong encryption in transit and at rest.

    vwo.com

    Penetration testing (VAPT)

    Annual third-party Vulnerability Assessment & Penetration Testing plus quarterly security audits of all production systems: 'Wingify runs Vulnerability Assessment Penetration Testing (VAPT) on an annual basis through a third-party service provider and performs quarterly security audits for all production environment systems.'

    vwo.com

    Responsible disclosure / bug bounty

    Self-hosted Responsible Disclosure program (NOT HackerOne or Bugcrowd). Report to security@wingify.com; 72 working-hour initial confirmation; Security Researcher Hall of Fame recognition. Scope: vwo.com, app.vwo.com. No paid bounty advertised.

    vwo.com

    Privacy governance

    Appointed Data Protection Officer; Corporate Security & Compliance Committee (CSCC) meeting quarterly; ROPA maintained per GDPR Art. 30; annual Privacy Impact Assessment validated by external auditor; least-privilege / role-based access; ISO 27001:2022 ISMS as baseline control framework.

    vwo.com

    Data subject rights tooling

    Customers can export or delete visitor/app-user data via UUID. Keystrokes anonymized by default; last IP octet zeroed by default; PII (email, credit card) filtered out of incoming custom-dimension data by default; Do-Not-Track honoring configurable.

    vwo.com

    // Products & data scope

    VWO TestingA/B testing & experimentation (web, mobile app, feature, server-side)

    data: Visitor behavioral data, experiment assignment, conversion metrics. SmartCode (client) and SDKs (8+ languages) for server-side.

    Visual editor (no-code) plus code editor and SDK-based testing.

    VWO InsightsBehavioral analytics (heatmaps, session recordings, funnels, form analytics, surveys)

    data: Captures session recordings and heatmaps; keystrokes anonymized by default, text-masking and CSS-selector whitelisting available to avoid storing PII.

    Highest privacy sensitivity of the suite because of session recordings; relies on default anonymization controls.

    VWO Data360Customer data platform (CDP)

    data: Unifies user attributes, user events, third-party data, and offline data for a 360-degree customer view; event-driven architecture.

    Broadest data-ingestion surface; customers can bring first-party and offline data.

    VWO PersonalizePersonalization / targeting

    data: Uses customer data and segments to deliver targeted experiences.

    Consumes CDP segments for real-time targeting.

    VWO Web Rollouts & PlanFeature rollouts / experimentation planning

    data: Progressive feature delivery; planning workflow metadata.

    Engineering-facing; lower direct PII exposure.

    VWO AI / CopilotAI assistant (analysis, idea generation, campaign build, summarization)

    data: Operates over campaign and behavioral data; powered by third-party LLMs (OpenAI, Google Gemini). Customer Personal Data is NOT used to train models; PETs and masking applied; human validation required.

    Third-party LLM sub-processors are the key new data-flow consideration for AI-cautious buyers; no model training on customer data.

    // What to watch

    • Acquisition in progress: footer and banner announce 'VWO und AB Tasty schliessen sich zusammen' (VWO and AB Tasty merging). Post-merger ownership, sub-processors, and data-handling could change; re-verify after close.
    • VWO Insights records full session replays; privacy depends on customers correctly configuring default anonymization/masking controls.
    • VWO AI/Copilot routes data to third-party LLMs (OpenAI, Google Gemini) as sub-processors; relevant for buyers with strict AI/data-egress policies even though no model training occurs.
    • Legal entity is Wingify Software Pvt. Ltd. (India HQ); trust center and certifications are under the Wingify name, VWO is the product brand.

    // At a glance

    Pricing model

    Subscription SaaS with free trial; tiered/enterprise plans (per-product and platform bundles). Demo/sales-led for enterprise.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Wingify (VWO)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.wingify.com

    > Browse all vendor trust reports