// Trust & Security Report

    Wrike, Inc. logo

    Wrike, Inc.

    Wrike enterprise work management platform (project/work management SaaS), Wrike AI (Copilot, AI agents, AI insights), Wrike Lock (customer-managed encryption keys), Wrike Integrate, Wrike API, MCP Server, and Klaxoon (a Wrike company)

    Certifications held

    9

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC2 Type II: This independent, third-party examination ... of the controls Wrike uses to protect customer data.

    Verify on cdn.wrike.com
    SOC 3
    HELD

    Security built for your most sensitive work. ISO 27001, SOC 2, SOC 3, GDPR.

    Verify on wrike.com
    ISO/IEC 27001
    HELD

    ISO 27001: Proof of industry-standard Information Security Management System, ensuring total security and privacy for customers' data.

    Verify on wrike.com
    ISO/IEC 27017
    HELD

    ISO 27017: A certificate validating expertise in secure cloud services and our robust risk assessment capabilities in cloud environments.

    Verify on wrike.com
    ISO/IEC 27018
    HELD

    ISO 27018: Evidence of commitment to global standards in protecting personal identifiable information in the cloud.

    Verify on wrike.com
    ISO/IEC 27701
    HELD

    ISO 27701: A certificate asserting adherence to recognized privacy policy compliance and that processes meet international privacy standards.

    Verify on wrike.com
    TX-RAMP Level 1
    HELD

    TX-RAMP level 1 (referenced alongside SOC 2 Type II and the ISO 27K series in Wrike's certifications blog).

    Verify on wrike.com
    HIPAA (Business Associate Agreement)
    HELD

    HIPAA: ... Wrike has a Business Associate Agreement that meets industry standards and requirements as well as the HIPAA Security Rule.

    Verify on cdn.wrike.com
    GDPR / CCPA compliance (DPA + SCCs)
    HELD

    GDPR & CCPA: For customers who request it, we have [DPA] ... Standard [Contractual Clauses are incorporated by reference in the DPA].

    Verify on wrike.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    US and EU data centers; customer can request placement (US or EU)

    Wrike is a processor of Customer Data and states it generally cannot read content due to platform security features. Privacy Policy: 'Wrike does not permit third-party providers engaged to provide transcription, storage, analytics, or AI-assisted services to use such data to train their own general-purpose AI models, except where expressly authorized by Wrike and permitted by applicable law and contract.' Terms define Wrike AI as generative AI that creates output 'based on Customer Data that Customer provides... as input to Wrike AI' (in-context use, not foundation-model training on customer data). Customers are barred from using Wrike AI to build competing foundation models. Separately, Wrike may use AI tools on its own sales/marketing email and recorded videoconferences (with consent), which is non-Customer-Data first-party processing.

    // Security controls

    Encryption at rest (Wrike Lock / customer-managed keys)

    Wrike Lock lets customers own and manage encryption keys with AES-256 bit encryption (enterprise add-on)

    cdn.wrike.com

    Data center physical security

    Dedicated physical space in top-tier US and EU data centers; 24/7 manned security, biometric access, redundant power, surveillance

    cdn.wrike.com

    Uptime

    Stated uptime over 99.9%

    wrike.com

    Vulnerability reporting

    Dedicated 'Report a Security Vulnerability' channel (responsible disclosure). No public paid bug-bounty program (HackerOne/Bugcrowd) found on vendor domain.

    wrike.com

    AI security review

    AI/ML projects undergo threat modeling and security reviews from design to implementation, including OWASP ML Security checks

    wrike.com

    // Products & data scope

    Wrike platform (work/project management SaaS)Enterprise work management

    data: Customer Data (tasks, projects, files, comments). Wrike is processor; customer is controller. Business-only, not for consumers.

    Covered by SOC 2, ISO 27K series, GDPR/CCPA DPA. HIPAA PHI only allowed in Wrike-designated portions and with a signed BAA.

    Wrike AI (Copilot, AI agents, AI insights)Generative + analytical AI features

    data: Operates on Customer Data provided as input; output becomes Customer Data once submitted. No use of customer data to train general-purpose/foundation models.

    Wrike AI Output carries no warranty/ownership guarantee and may be non-unique. Role-based access and Wrike Lock extend to agents.

    Wrike LockCustomer-managed encryption keys add-on

    data: Customer holds/manages AES-256 encryption keys to their Wrike data

    Enterprise/desktop-tier add-on; strengthens data sovereignty.

    Wrike API + MCP Server + Wrike IntegrateIntegration / automation / AI connectivity

    data: Programmatic access to Customer Data; MCP Server connects external AI assistants to Wrike

    400+ integrations. Third-party integrations may carry the third party's own terms.

    Klaxoon (a Wrike company)Visual collaboration / workshop tool

    data: Separate acquired product; distinct data scope, verify Klaxoon's own policies for its standalone use

    Acquired brand operating under Wrike; compliance scope may differ from core Wrike platform.

    // What to watch

    • No public paid bug-bounty program (HackerOne/Bugcrowd) found on vendor domain; only a responsible-disclosure vulnerability reporting channel.
    • Penetration testing not confirmed by a direct quote on the vendor domain (AI security/threat-modeling reviews are documented; formal third-party pentest cadence not explicitly quoted).
    • HIPAA support is conditional: PHI permitted only in Wrike-designated portions of the Service and only after signing a BAA.
    • Trust center (security.wrike.com) is JS-rendered; gated documents (SOC 2 report, ISO certs, pentest summaries) require login/NDA to download.

    // At a glance

    Pricing model

    Subscription, per-user (Full and Limited User licenses); free tier, paid tiers, and Enterprise with Contact Sales. Business-only (not for consumers).

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Wrike, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    security.wrike.com

    > Browse all vendor trust reports