// Trust & Security Report

    Mend.io (formerly WhiteSource Software Ltd.) logo

    Mend.io (formerly WhiteSource Software Ltd.)

    Mend AppSec platform: application security and software supply chain security, unified with AI security governance. Sub-products include Mend SCA (open source / software composition analysis, the original WhiteSource product), Mend SAST (proprietary code scanning), Mend Renovate (automated dependency updates), Mend AI (AI-BOM, model/agent/prompt inventory and AI risk governance), plus DAST, API Security, and Container Security modules.

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO 27001:2013
    HELD

    At Mend.io, we have fully implemented the ISO 27001:2013 standard. Our Statement of Applicability (SoA) allows our customers to review our set of controls...

    Verify on mend.io
    SOC 2 Type II (AICPA SSAE 18 / ISAE 3402)
    HELD

    AICPA SOC2 SSAE 18 /ISAE 3402 Type II ... This report provides an external evaluation of an organization's internal security systems with a specific focus on the controls relevant to security, availability and confidentiality. Mend.io's controls are evaluated by Schellman.

    Verify on mend.io
    ISO 27017:2015 (cloud security)
    HELD

    Mend.io has established an integrated information security management system incorporating controls for ISO 27001, ISO 27017, and ISO 27701. These controls are reviewed externally every year.

    Verify on mend.io
    ISO 27701 (privacy information management)
    HELD

    Mend.io has established an integrated information security management system incorporating controls for ISO 27001, ISO 27017, and ISO 27701. These controls are reviewed externally every year.

    Verify on mend.io
    > Show 6 unconfirmed / not-held certifications
    GDPR (compliance posture, not a certification)
    NOT CONFIRMED

    Mend.io is fully committed to compliance with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)... Whilst there is no formal certification of our compliance we can offer our customers, adherence... is externally validated as part of our ISO and SOC2 program.

    source: mend.io
    HIPAA
    NOT CONFIRMED

    No public evidence of a HIPAA attestation, BAA program, or HIPAA-specific control set on Mend.io's own trust, data-protection, or compliance pages. (A third-party article discussing 'Mend' and HIPAA/BAA refers to an unrelated telehealth company also named Mend, not Mend.io the application-security vendor -- identity conflation risk, not counted as evidence.)

    source: mend.io
    PCI DSS
    NOT CONFIRMED

    Mend.io's own /compliance/ page references PCI DSS only as a framework Mend's product output (SBOM/evidence) helps customers satisfy, not as a certification Mend.io itself holds. No PCI attestation is listed in the accreditations overview PDF or the trust page.

    source: mend.io
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    Mend.io maps its AI Security findings to ISO 42001 as a framework it helps customers achieve conformity with, but does not state that Mend.io itself holds ISO 42001 certification.

    source: mend.io
    CSA STAR
    NOT CONFIRMED

    No public evidence / not mentioned on any Mend.io trust, data-protection, or compliance page found.

    source: mend.io
    FedRAMP
    NOT CONFIRMED

    No public evidence / not mentioned on any Mend.io trust, data-protection, or compliance page found.

    source: mend.io

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    Customer data may be stored in third-party hosting facilities in the U.S. or EU based on customer location/preference; AI-Powered Features may route data through Microsoft Azure hosting even where core product data is on AWS. Company operates out of the U.S., Israel, and Europe.

    Mend.io's AI Supplemental Terms of Service state: 'your Customer Data shared with Mend AI-Powered Features will not be used to train any generative AI model.' Use of AI-Powered Features is opt-in. Mend states it 'acts as a data controller -- and not as a data processor' for account/user data, and its data-protection page says 'A data processing agreement (DPA) is not required for the use of our Services -- there is no processing of personal data on the customer's behalf.' Prospective enterprise customers who consider Mend's code-scanning to constitute processing of their data should confirm this controller/processor framing directly with Mend before signing, since it differs from how many SaaS security vendors describe their role.

    // Security controls

    Encryption

    Data storage backed up regularly; both main storage and backups encrypted at rest and in transit.

    mend.io

    Data retention

    Audit logs retained 90 days; backups retained 30 days; all customer data deleted following termination of subscription.

    mend.io

    Pseudonymization

    Contributing developers' email addresses are pseudonymized via encrypted hashing and cannot be re-identified by Mend.io.

    mend.io

    Cross-border transfer mechanism

    EU/UK Standard Contractual Clauses used for transfers outside the EU/EEA; partnered with TrustArc as Dispute Resolution Service Provider satisfying the EU-US Data Privacy Framework Independent Recourse Mechanism (including Swiss-US and UK extension).

    mend.io

    Cyber insurance

    Maintains Professional Indemnity, Cyber, Directors & Officers Liability, Corporate Legal Liability, Employment Practices Liability, and Public Liability insurance policies.

    mend.io

    Trust center disclosure model

    The interactive trust.mend.io portal offers security questionnaires, reports, and control documentation 'upon request' rather than as a public library; underlying static pages (www.mend.io/trust/, /data-protection/, and the PDF accreditations overview) carry the actual certification claims used in this assessment.

    trust.mend.io

    // Products & data scope

    Mend SCA (Software Composition Analysis, formerly WhiteSource)Open source vulnerability and license management

    data: Scans dependency manifests, package managers, and container image layers against Mend's vulnerability database.

    The original WhiteSource product line; Mend.io was rebranded from WhiteSource Software in 2021.

    Mend SASTStatic application security testing

    data: Scans proprietary/developer-written and AI-generated source code in IDEs, repositories, and pull requests.

    Differential scanning positioned to reduce noise versus legacy SAST tools.

    Mend RenovateAutomated dependency updates

    data: Reads repository configuration files and CI/CD pipeline metadata to raise dependency-update pull requests.

    Widely used open-source automation tool now under the Mend umbrella.

    Mend AIAI security / AI governance

    data: Inventories AI models, agents, RAG pipelines, and system prompts in an AI-BOM; performs automated adversarial/red-team testing.

    Maps findings to NIST AI RMF, ISO 42001, ISO 27001, EU AI Act, and OWASP as customer-compliance support -- these are frameworks Mend's output helps customers satisfy, not certifications Mend.io itself holds.

    DAST / API Security / Container SecurityExtended AppSec coverage

    data: Scans running application endpoints, API definitions/traffic, and container registries.

    Additional modules within the unified Mend AppSec platform.

    // What to watch

    • Identity-conflation risk: search results surface a HIPAA/BAA article about a company also named 'Mend' (mendfamily.com, a telehealth/patient-scheduling platform) that is unrelated to Mend.io the application-security vendor. Not used as evidence and flagged so it is not mistakenly cited elsewhere.
    • The interactive trust.mend.io portal renders as a 'request access' shell with no public certification list, while the static www.mend.io/trust/, /data-protection/, and the linked PDF accreditations overview do carry explicit ISO 27001 / SOC 2 claims -- these were used as the primary sources instead. Recommend a live re-check of trust.mend.io before final publication.
    • Data protection page states Mend.io 'acts as a data controller -- and not as a data processor' and that a DPA 'is not required' for use of its services, since Mend does not process personal data on the customer's behalf. This is a legitimate but non-standard framing for a code/AI-scanning security vendor and should be confirmed directly with Mend by any customer with strict DPA requirements before purchase.
    • Mend.io's own /compliance/ marketing page lists PCI DSS and ISO 42001 alongside frameworks its AI-BOM output 'helps customers achieve conformity with' -- this is about Mend's product output supporting customer compliance programs, not certifications Mend.io itself holds. Graded held=false for both to avoid an over-claim; worth a final human check given the adjacency in the source page's wording.
    • ISO 27017 and ISO 27701 are supported by an 'integrated ISMS incorporating controls for' language on the live trust page but are not separately itemized in the more detailed (Aug 2024) accreditations-overview PDF, which lists only ISO 27001 and SOC 2 by name. Graded held=true on the strength of the trust-page statement, but this is a softer claim than the PDF's explicit ISO 27001/SOC 2 language.

    // At a glance

    Pricing model

    Enterprise SaaS subscription (sales-led; demo/tour offered, no public self-serve pricing found).

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Mend.io (formerly WhiteSource Software Ltd.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    mend.io

    > Browse all vendor trust reports