// Trust & Security Report
Wrike, Inc.
Wrike enterprise work management platform (project/work management SaaS), Wrike AI (Copilot, AI agents, AI insights), Wrike Lock (customer-managed encryption keys), Wrike Integrate, Wrike API, MCP Server, and Klaxoon (a Wrike company)
Certifications held
9
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on cdn.wrike.com“SOC2 Type II: This independent, third-party examination ... of the controls Wrike uses to protect customer data.”
Verify on wrike.com“Security built for your most sensitive work. ISO 27001, SOC 2, SOC 3, GDPR.”
Verify on wrike.com“ISO 27001: Proof of industry-standard Information Security Management System, ensuring total security and privacy for customers' data.”
Verify on wrike.com“ISO 27017: A certificate validating expertise in secure cloud services and our robust risk assessment capabilities in cloud environments.”
Verify on wrike.com“ISO 27018: Evidence of commitment to global standards in protecting personal identifiable information in the cloud.”
Verify on wrike.com“ISO 27701: A certificate asserting adherence to recognized privacy policy compliance and that processes meet international privacy standards.”
Verify on wrike.com“TX-RAMP level 1 (referenced alongside SOC 2 Type II and the ISO 27K series in Wrike's certifications blog).”
Verify on cdn.wrike.com“HIPAA: ... Wrike has a Business Associate Agreement that meets industry standards and requirements as well as the HIPAA Security Rule.”
Verify on wrike.com“GDPR & CCPA: For customers who request it, we have [DPA] ... Standard [Contractual Clauses are incorporated by reference in the DPA].”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
US and EU data centers; customer can request placement (US or EU)
Wrike is a processor of Customer Data and states it generally cannot read content due to platform security features. Privacy Policy: 'Wrike does not permit third-party providers engaged to provide transcription, storage, analytics, or AI-assisted services to use such data to train their own general-purpose AI models, except where expressly authorized by Wrike and permitted by applicable law and contract.' Terms define Wrike AI as generative AI that creates output 'based on Customer Data that Customer provides... as input to Wrike AI' (in-context use, not foundation-model training on customer data). Customers are barred from using Wrike AI to build competing foundation models. Separately, Wrike may use AI tools on its own sales/marketing email and recorded videoconferences (with consent), which is non-Customer-Data first-party processing.
// Security controls
Encryption at rest (Wrike Lock / customer-managed keys)
Wrike Lock lets customers own and manage encryption keys with AES-256 bit encryption (enterprise add-on)
cdn.wrike.comData center physical security
Dedicated physical space in top-tier US and EU data centers; 24/7 manned security, biometric access, redundant power, surveillance
cdn.wrike.comVulnerability reporting
Dedicated 'Report a Security Vulnerability' channel (responsible disclosure). No public paid bug-bounty program (HackerOne/Bugcrowd) found on vendor domain.
wrike.comAI security review
AI/ML projects undergo threat modeling and security reviews from design to implementation, including OWASP ML Security checks
wrike.com// Products & data scope
data: Customer Data (tasks, projects, files, comments). Wrike is processor; customer is controller. Business-only, not for consumers.
Covered by SOC 2, ISO 27K series, GDPR/CCPA DPA. HIPAA PHI only allowed in Wrike-designated portions and with a signed BAA.
data: Operates on Customer Data provided as input; output becomes Customer Data once submitted. No use of customer data to train general-purpose/foundation models.
Wrike AI Output carries no warranty/ownership guarantee and may be non-unique. Role-based access and Wrike Lock extend to agents.
data: Customer holds/manages AES-256 encryption keys to their Wrike data
Enterprise/desktop-tier add-on; strengthens data sovereignty.
data: Programmatic access to Customer Data; MCP Server connects external AI assistants to Wrike
400+ integrations. Third-party integrations may carry the third party's own terms.
data: Separate acquired product; distinct data scope, verify Klaxoon's own policies for its standalone use
Acquired brand operating under Wrike; compliance scope may differ from core Wrike platform.
// What to watch
- No public paid bug-bounty program (HackerOne/Bugcrowd) found on vendor domain; only a responsible-disclosure vulnerability reporting channel.
- Penetration testing not confirmed by a direct quote on the vendor domain (AI security/threat-modeling reviews are documented; formal third-party pentest cadence not explicitly quoted).
- HIPAA support is conditional: PHI permitted only in Wrike-designated portions of the Service and only after signing a BAA.
- Trust center (security.wrike.com) is JS-rendered; gated documents (SOC 2 report, ISO certs, pentest summaries) require login/NDA to download.
// At a glance
Pricing model
Subscription, per-user (Full and Limited User licenses); free tier, paid tiers, and Enterprise with Contact Sales. Business-only (not for consumers).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Wrike, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
security.wrike.com