// Trust & Security Report
Mend.io (formerly WhiteSource Software Ltd.)
Mend AppSec platform: application security and software supply chain security, unified with AI security governance. Sub-products include Mend SCA (open source / software composition analysis, the original WhiteSource product), Mend SAST (proprietary code scanning), Mend Renovate (automated dependency updates), Mend AI (AI-BOM, model/agent/prompt inventory and AI risk governance), plus DAST, API Security, and Container Security modules.
Certifications held
4
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on mend.io“At Mend.io, we have fully implemented the ISO 27001:2013 standard. Our Statement of Applicability (SoA) allows our customers to review our set of controls...”
Verify on mend.io“AICPA SOC2 SSAE 18 /ISAE 3402 Type II ... This report provides an external evaluation of an organization's internal security systems with a specific focus on the controls relevant to security, availability and confidentiality. Mend.io's controls are evaluated by Schellman.”
Verify on mend.io“Mend.io has established an integrated information security management system incorporating controls for ISO 27001, ISO 27017, and ISO 27701. These controls are reviewed externally every year.”
Verify on mend.io“Mend.io has established an integrated information security management system incorporating controls for ISO 27001, ISO 27017, and ISO 27701. These controls are reviewed externally every year.”
> Show 6 unconfirmed / not-held certifications
source: mend.ioMend.io is fully committed to compliance with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)... Whilst there is no formal certification of our compliance we can offer our customers, adherence... is externally validated as part of our ISO and SOC2 program.
source: mend.ioNo public evidence of a HIPAA attestation, BAA program, or HIPAA-specific control set on Mend.io's own trust, data-protection, or compliance pages. (A third-party article discussing 'Mend' and HIPAA/BAA refers to an unrelated telehealth company also named Mend, not Mend.io the application-security vendor -- identity conflation risk, not counted as evidence.)
source: mend.ioMend.io's own /compliance/ page references PCI DSS only as a framework Mend's product output (SBOM/evidence) helps customers satisfy, not as a certification Mend.io itself holds. No PCI attestation is listed in the accreditations overview PDF or the trust page.
source: mend.ioMend.io maps its AI Security findings to ISO 42001 as a framework it helps customers achieve conformity with, but does not state that Mend.io itself holds ISO 42001 certification.
source: mend.ioNo public evidence / not mentioned on any Mend.io trust, data-protection, or compliance page found.
source: mend.ioNo public evidence / not mentioned on any Mend.io trust, data-protection, or compliance page found.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
Customer data may be stored in third-party hosting facilities in the U.S. or EU based on customer location/preference; AI-Powered Features may route data through Microsoft Azure hosting even where core product data is on AWS. Company operates out of the U.S., Israel, and Europe.
Mend.io's AI Supplemental Terms of Service state: 'your Customer Data shared with Mend AI-Powered Features will not be used to train any generative AI model.' Use of AI-Powered Features is opt-in. Mend states it 'acts as a data controller -- and not as a data processor' for account/user data, and its data-protection page says 'A data processing agreement (DPA) is not required for the use of our Services -- there is no processing of personal data on the customer's behalf.' Prospective enterprise customers who consider Mend's code-scanning to constitute processing of their data should confirm this controller/processor framing directly with Mend before signing, since it differs from how many SaaS security vendors describe their role.
// Security controls
Encryption
Data storage backed up regularly; both main storage and backups encrypted at rest and in transit.
mend.ioData retention
Audit logs retained 90 days; backups retained 30 days; all customer data deleted following termination of subscription.
mend.ioPseudonymization
Contributing developers' email addresses are pseudonymized via encrypted hashing and cannot be re-identified by Mend.io.
mend.ioCross-border transfer mechanism
EU/UK Standard Contractual Clauses used for transfers outside the EU/EEA; partnered with TrustArc as Dispute Resolution Service Provider satisfying the EU-US Data Privacy Framework Independent Recourse Mechanism (including Swiss-US and UK extension).
mend.ioCyber insurance
Maintains Professional Indemnity, Cyber, Directors & Officers Liability, Corporate Legal Liability, Employment Practices Liability, and Public Liability insurance policies.
mend.ioTrust center disclosure model
The interactive trust.mend.io portal offers security questionnaires, reports, and control documentation 'upon request' rather than as a public library; underlying static pages (www.mend.io/trust/, /data-protection/, and the PDF accreditations overview) carry the actual certification claims used in this assessment.
trust.mend.io// Products & data scope
data: Scans dependency manifests, package managers, and container image layers against Mend's vulnerability database.
The original WhiteSource product line; Mend.io was rebranded from WhiteSource Software in 2021.
data: Scans proprietary/developer-written and AI-generated source code in IDEs, repositories, and pull requests.
Differential scanning positioned to reduce noise versus legacy SAST tools.
data: Reads repository configuration files and CI/CD pipeline metadata to raise dependency-update pull requests.
Widely used open-source automation tool now under the Mend umbrella.
data: Inventories AI models, agents, RAG pipelines, and system prompts in an AI-BOM; performs automated adversarial/red-team testing.
Maps findings to NIST AI RMF, ISO 42001, ISO 27001, EU AI Act, and OWASP as customer-compliance support -- these are frameworks Mend's output helps customers satisfy, not certifications Mend.io itself holds.
data: Scans running application endpoints, API definitions/traffic, and container registries.
Additional modules within the unified Mend AppSec platform.
// What to watch
- Identity-conflation risk: search results surface a HIPAA/BAA article about a company also named 'Mend' (mendfamily.com, a telehealth/patient-scheduling platform) that is unrelated to Mend.io the application-security vendor. Not used as evidence and flagged so it is not mistakenly cited elsewhere.
- The interactive trust.mend.io portal renders as a 'request access' shell with no public certification list, while the static www.mend.io/trust/, /data-protection/, and the linked PDF accreditations overview do carry explicit ISO 27001 / SOC 2 claims -- these were used as the primary sources instead. Recommend a live re-check of trust.mend.io before final publication.
- Data protection page states Mend.io 'acts as a data controller -- and not as a data processor' and that a DPA 'is not required' for use of its services, since Mend does not process personal data on the customer's behalf. This is a legitimate but non-standard framing for a code/AI-scanning security vendor and should be confirmed directly with Mend by any customer with strict DPA requirements before purchase.
- Mend.io's own /compliance/ marketing page lists PCI DSS and ISO 42001 alongside frameworks its AI-BOM output 'helps customers achieve conformity with' -- this is about Mend's product output supporting customer compliance programs, not certifications Mend.io itself holds. Graded held=false for both to avoid an over-claim; worth a final human check given the adjacency in the source page's wording.
- ISO 27017 and ISO 27701 are supported by an 'integrated ISMS incorporating controls for' language on the live trust page but are not separately itemized in the more detailed (Aug 2024) accreditations-overview PDF, which lists only ISO 27001 and SOC 2 by name. Graded held=true on the strength of the trust-page statement, but this is a softer claim than the PDF's explicit ISO 27001/SOC 2 language.
// At a glance
Pricing model
Enterprise SaaS subscription (sales-led; demo/tour offered, no public self-serve pricing found).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Mend.io (formerly WhiteSource Software Ltd.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
mend.io