// Trust & Security Report
Wingify (VWO)
VWO digital experience optimization platform (A/B testing, behavioral insights, feature rollouts, personalization, customer data platform)
Certifications held
12
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on vwo.com“Wingify has comprehensive privacy and security assessments and certifications performed by third parties. Such certifications include ISO 27001:2022 ISMS, ISO 27701:2019 PIMS, ISO 27017:2015 Cloud Security, ISO 27018:2019 Cloud Privacy, PCI DSS v4.0.2, SOC 2 Type II etc.”
Verify on vwo.com“Such certifications include ISO 27001:2022 ISMS, ISO 27701:2019 PIMS, ISO 27017:2015 Cloud Security, ISO 27018:2019 Cloud Privacy, PCI DSS v4.0.2, SOC 2 Type II etc.”
Verify on vwo.com“Such certifications include ISO 27001:2022 ISMS, ISO 27701:2019 PIMS, ISO 27017:2015 Cloud Security, ISO 27018:2019 Cloud Privacy, PCI DSS v4.0.2, SOC 2 Type II etc.”
Verify on vwo.com“Such certifications include ... ISO 27017:2015 Cloud Security, ISO 27018:2019 Cloud Privacy, PCI DSS v4.0.2, SOC 2 Type II etc.”
Verify on vwo.com“Such certifications include ... ISO 27018:2019 Cloud Privacy, PCI DSS v4.0.2, SOC 2 Type II etc.”
Verify on trust.wingify.com“Compliance offerings listed on the Wingify Trust Center include: SOC 2, PCI DSS V4.0, ISO 27001:2022, ISO 45001:2018, ISO 14001:2015 ESMS, ISO 27701:2019, ISO 27017:2015, ISO 27018:2019, CSA STAR, HIPAA, GDPR, CCPA.”
Verify on trust.wingify.com“Wingify Trust Center Compliance list: ISO 45001:2018, ISO 14001:2015 ESMS, HIPAA, SOC 2, GDPR, ISO 27001:2022, PCI DSS V4.0, CCPA, CSA STAR, ISO 27017:2015, ISO 27018:2019, ISO 27701:2019.”
Verify on trust.wingify.com“Wingify Trust Center Compliance list includes: ... CCPA, CSA STAR, ISO 27017:2015, ISO 27018:2019, ISO 27701:2019.”
Verify on trust.wingify.com“Wingify Trust Center Compliance list includes: ISO 45001:2018, ISO 14001:2015 ESMS, HIPAA, SOC 2 ...”
Verify on trust.wingify.com“Wingify Trust Center Compliance list includes: ISO 45001:2018, ISO 14001:2015 ESMS, HIPAA, SOC 2 ...”
Verify on vwo.com“ISO 27701:2019 Datenschutz Managementsystems ... & Einhaltung der DSGVO-Verordnung. Folgende Zertifizierungen belegen unsere DSGVO-Konformität: ISO 27701:2019, ISO 27001:2013, SOC 2 Typ II.”
Verify on vwo.com“As part of our commitment to privacy, we made a number of investments and improvements to our data handling practices to support CCPA and the privacy rights of individuals.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Customer-selectable GCP region at account setup: europe-west1 (Belgium/EU), us-east4 (N. Virginia/USA), or asia-south1 (Mumbai/India). EU selection keeps visitor/user data in the EU only.
Responsible AI Policy states: 'No AI model training using Customer Personal Data: Customer Personal Data is never used to train any AI or large language model.' VWO Copilot is powered by third-party AI models including OpenAI LLMs, Google Gemini, and image-generation models. AI features use Privacy-Enhancing Technologies (PETs), encryption in transit and at rest, plus anonymization/pseudonymization. Every AI suggestion requires human validation before implementation; no automated decisioning affecting individuals without human oversight.
// Security controls
Hosting / infrastructure
All customer data hosted on Google Cloud Platform (GCP). 'Kein Mitarbeiter von VWO kann physisch auf die Daten zugreifen' (no VWO employee can physically access the data). Sub-processors: Google Cloud, Cloudflare (CDN, global), Amazon Web Services (USA).
trust.wingify.comEncryption
Encryption in transit and at rest (PCI scope: 'Verschluesselung von Daten in Bewegung und im Ruhezustand'). Data-at-rest encryption applied based on sensitivity. AI features use strong encryption in transit and at rest.
vwo.comPenetration testing (VAPT)
Annual third-party Vulnerability Assessment & Penetration Testing plus quarterly security audits of all production systems: 'Wingify runs Vulnerability Assessment Penetration Testing (VAPT) on an annual basis through a third-party service provider and performs quarterly security audits for all production environment systems.'
vwo.comResponsible disclosure / bug bounty
Self-hosted Responsible Disclosure program (NOT HackerOne or Bugcrowd). Report to security@wingify.com; 72 working-hour initial confirmation; Security Researcher Hall of Fame recognition. Scope: vwo.com, app.vwo.com. No paid bounty advertised.
vwo.comPrivacy governance
Appointed Data Protection Officer; Corporate Security & Compliance Committee (CSCC) meeting quarterly; ROPA maintained per GDPR Art. 30; annual Privacy Impact Assessment validated by external auditor; least-privilege / role-based access; ISO 27001:2022 ISMS as baseline control framework.
vwo.comData subject rights tooling
Customers can export or delete visitor/app-user data via UUID. Keystrokes anonymized by default; last IP octet zeroed by default; PII (email, credit card) filtered out of incoming custom-dimension data by default; Do-Not-Track honoring configurable.
vwo.com// Products & data scope
data: Visitor behavioral data, experiment assignment, conversion metrics. SmartCode (client) and SDKs (8+ languages) for server-side.
Visual editor (no-code) plus code editor and SDK-based testing.
data: Captures session recordings and heatmaps; keystrokes anonymized by default, text-masking and CSS-selector whitelisting available to avoid storing PII.
Highest privacy sensitivity of the suite because of session recordings; relies on default anonymization controls.
data: Unifies user attributes, user events, third-party data, and offline data for a 360-degree customer view; event-driven architecture.
Broadest data-ingestion surface; customers can bring first-party and offline data.
data: Uses customer data and segments to deliver targeted experiences.
Consumes CDP segments for real-time targeting.
data: Progressive feature delivery; planning workflow metadata.
Engineering-facing; lower direct PII exposure.
data: Operates over campaign and behavioral data; powered by third-party LLMs (OpenAI, Google Gemini). Customer Personal Data is NOT used to train models; PETs and masking applied; human validation required.
Third-party LLM sub-processors are the key new data-flow consideration for AI-cautious buyers; no model training on customer data.
// What to watch
- Acquisition in progress: footer and banner announce 'VWO und AB Tasty schliessen sich zusammen' (VWO and AB Tasty merging). Post-merger ownership, sub-processors, and data-handling could change; re-verify after close.
- VWO Insights records full session replays; privacy depends on customers correctly configuring default anonymization/masking controls.
- VWO AI/Copilot routes data to third-party LLMs (OpenAI, Google Gemini) as sub-processors; relevant for buyers with strict AI/data-egress policies even though no model training occurs.
- Legal entity is Wingify Software Pvt. Ltd. (India HQ); trust center and certifications are under the Wingify name, VWO is the product brand.
// At a glance
Pricing model
Subscription SaaS with free trial; tiered/enterprise plans (per-product and platform bundles). Demo/sales-led for enterprise.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Wingify (VWO)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.wingify.com