// Trust & Security Report
Wise Payments Limited (Wise plc group; regional entities include Wise Europe SA, Wise Assets Europe AS)
Global money-movement platform: Wise Account and Wise Business (multi-currency accounts, international transfers, debit card), Wise Platform (B2B/API payments infrastructure for banks and fintechs), and Wise Assets (interest-bearing balances via a separately regulated investment entity).
Certifications held
5
Maturity
Enterprise
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on wise.com“Coalfire Certification, Inc. certifies that the following organization operates an Information Security Management System (ISMS) that conforms to the requirements of ISO/IEC 27001:2022... COMPANY: Wise Payments Ltd... Scope: The certificate scope comprises the Information Security Management System supporting the operations underlying the Wise financial service offerings: Wise Account, Wise Business, and Wise Platform. Certificate Number 2020-080301, Certificate Issuance Date July 10, 2025, Expiration Date August 3, 2026.”
Verify on wise.com“Thanks to their SOC 1 type 2, SOC 2 type 2, PCI DSS, and ISO 27001 certifications and GDPR compliance, you can feel confident entrusting Wise with all your transactions.”
Verify on wise.com“Thanks to their SOC 1 type 2, SOC 2 type 2, PCI DSS, and ISO 27001 certifications and GDPR compliance, you can feel confident entrusting Wise with all your transactions.”
Verify on wise.com“Thanks to their SOC 1 type 2, SOC 2 type 2, PCI DSS, and ISO 27001 certifications and GDPR compliance, you can feel confident entrusting Wise with all your transactions.”
Verify on wise.com“Enter into EU Standard Contractual Clauses approved by the European Commission and the UK International Data Transfer Addendum issued by the Information Commissioner's Office with the data importer, where the EU or UK GDPR apply.”
> Show 7 unconfirmed / not-held certifications
source: wise.comNo public evidence Wise handles protected health information or claims HIPAA status; Wise is a regulated payments/e-money institution, not a healthcare business associate. Not applicable to its product scope.
source: wise.comNo public evidence found on Wise's own domain of a separate ISO 27017 certificate.
source: wise.comNo public evidence found on Wise's own domain of a separate ISO 27018 certificate.
No public evidence found on Wise's own domain of an ISO 27701 certificate.
source: wise.comNo public evidence found; Wise's privacy notice discloses use of AI/ML and generative AI internally but does not reference an ISO 42001 or CSA STAR AI certification.
No public evidence found on Wise's own domain of CSA STAR registration or certification.
No public evidence found; not applicable, Wise is not a US government cloud service provider.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Multi-entity, jurisdiction-dependent: Wise Payments Limited (UK, FCA-regulated), Wise Europe SA (Belgium, regulated by the National Bank of Belgium for the EEA), Wise Assets Europe AS (Estonia, regulated by the Estonian Financial Supervision and Resolution Authority for investment products), plus US, Singapore, Australia, Japan, and other local entities. International transfers use EU Standard Contractual Clauses and the UK International Data Transfer Addendum.
Wise's privacy notices (personal and business) state: 'We may use Artificial Intelligence ("AI"), including machine learning models and generative AI large language models (LLMs) to improve the efficiency and effectiveness of our services and our financial crime and fraud prevention processes,' and commit that 'We will always let our customers know if they are interacting directly with an AI system.' No explicit statement was found confirming or denying that customer transaction/content data is used to train third-party foundation models, nor is a customer-facing opt-out described in the pages reviewed. Treat as unconfirmed pending a direct vendor confirmation.
// Security controls
Encryption in transit (API)
Wise Platform API documentation describes OAuth 2.0 for partner auth, with mTLS and JOSE/JWE for enhanced-security integrations; sensitive card data is end-to-end encrypted client-side using the JWE standard before transmission.
docs.wise.comAPI authentication
OAuth 2.0 for all partner accounts; mTLS and Strong Customer Authentication (SCA) available/required for sensitive operations; guidance to store credentials in a secrets manager and rotate client secrets periodically.
docs.wise.comAccount authentication
Wise uses 2-factor authentication to protect consumer accounts and transactions.
wise.comFraud monitoring
Automated, always-on fraud monitoring and dedicated fraud/security teams cited on the homepage (marketing claim, no independent audit reviewed).
wise.comFund safeguarding
Customer funds are held segregated from Wise's own money, in cash, secure liquid assets (short-duration government bonds), or insured equivalents, per regulatory safeguarding obligations.
wise.comISMS certification
ISO/IEC 27001:2022 certified (Wise Payments Ltd), scope covering Wise Account, Wise Business, and Wise Platform; certificate valid through August 3, 2026.
wise.com// Products & data scope
data: Personal identity/KYC data, transaction data, device data
Covered by ISO 27001 certificate scope; FCA/EEA regulated e-money/payments entity.
data: Business KYC/beneficial-ownership data, transaction data, team member access data
Covered by ISO 27001 certificate scope.
data: Partner and end-customer transaction data passed via API, card data (PCI-scoped) for card issuing
Covered by ISO 27001 certificate scope; PCI DSS self-attested (see certifications); API security via OAuth2/mTLS/SCA.
data: Same customer identity data plus investment-suitability data
Provided by Wise Assets Europe AS, a separately regulated investment firm (Estonian FSA); NOT explicitly named in the reviewed ISO 27001 certificate scope statement, which lists only Wise Account, Wise Business, and Wise Platform - flagged as a scope gap to verify with the vendor.
// What to watch
- Identity-conflation risk: 'wise.is' is an unrelated Icelandic enterprise-software company and 'Wisetack' is a separate US fintech; neither's certifications belong to Wise.com/Wise plc. Verified the ISO 27001 certificate and blog claims come from wise.com/docs.wise.com only.
- SOC 1 Type 2, SOC 2 Type 2, and PCI DSS are only backed by a marketing-blog self-attestation (wise.com/us/blog/is-wise-business-safe) on the vendor's own domain; no downloadable certificate, AOC, or audit report was locatable publicly (typical, as these are usually shared under NDA), so confidence on those three specific certs is lower than the directly-verified ISO 27001 certificate.
- The captured ISO 27001 certificate scope explicitly names Wise Account, Wise Business, and Wise Platform but does not name Wise Assets Europe AS (the interest/investment product) - do not assume investment-product infrastructure is covered by the same ISMS scope.
- Privacy notice discloses use of AI/ML and generative AI internally (fraud prevention, service efficiency) but does not clearly state whether customer data is used to train models or whether an opt-out exists; treat trains_on_customer_data as unconfirmed, not false.
- No public trust center / security portal (e.g. no SafeBase/Vanta-style trust page) was found; compliance claims are scattered across a certificate download link, help-centre articles, and blog posts rather than a single vendor-maintained trust hub.
- Wise is a regulated financial-services company (e-money/payments/investment licenses), not primarily an 'AI tool' - confirm this listing's category fit for an AI-tools directory before publishing alongside SaaS/AI products.
// At a glance
Pricing model
Usage-based: per-transfer fee plus exchange-rate markup shown transparently at checkout; free account opening; Wise Platform/API pricing is custom/negotiated for partner institutions.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Wise Payments Limited (Wise plc group; regional entities include Wise Europe SA, Wise Assets Europe AS)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
wise.com