// Trust & Security Report
Wrike, Inc.
Wrike AI: generative AI features embedded in the Wrike work management platform, including Wrike Copilot (AI assistant), AI Agents (task routing, intake, sprint management), AI Insights, AI Essentials and AI Elite tiers, Wrike MCP Server, and Whiteboard AI. All AI features run on top of the core Wrike SaaS platform.
Certifications held
11
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on security.wrike.com“Wrike Type II SOC 2 Report and Wrike SOC2 Bridge Letter for 2026 are listed as downloadable resources in the Trust Center. Trust center compliance section explicitly lists SOC 2 Type II.”
Verify on security.wrike.com“Wrike Type II SOC 3 Report listed as a downloadable resource in the Trust Center alongside SOC 2. Trust center compliance section explicitly lists SOC 3 Type II.”
Verify on security.wrike.com“ISO 27001:2022 certificate listed as a downloadable resource in the Trust Center. Trust center compliance section explicitly lists ISO 27001:2022.”
Verify on security.wrike.com“ISO 27017:2015 certificate listed as a downloadable resource in the Trust Center. Trust center compliance section explicitly lists ISO 27017:2015.”
Verify on security.wrike.com“ISO 27018:2019 certificate listed as a downloadable resource in the Trust Center. Trust center compliance section explicitly lists ISO 27018:2019.”
Verify on security.wrike.com“ISO 27701:2019 certificate listed as a downloadable resource in the Trust Center. Trust center compliance section explicitly lists ISO 27701:2019.”
Verify on security.wrike.com“Wrike is now HIPAA certified! Published May 21, 2026. Wrike got independently assessed against HIPAA and HITECH. You will find our HIPAA Type 1 Report in our Trust Center under Resources. NOTE: This is a Type 1 (design assessment) report, not Type 2 (operational effectiveness over time). BAA is separately available. PHI permitted only in Wrike-designated portions of the Service and only after signing a BAA.”
Verify on security.wrike.com“Trust center lists GDPR in the compliance section. Privacy policy states Wrike acts as data processor under GDPR. DPA referenced at https://www.wrike.com/legal/trust-center/ and incorporated into Terms of Service.”
Verify on security.wrike.com“Trust center compliance section lists CCPA COMPLIANT. Wrike maintains a dedicated Privacy Choices page for California residents and a CA Notice at Collection.”
Verify on security.wrike.com“CSA STAR Level 1 listed in trust center compliance section. Wrike Cloud Security Alliance STAR L1 listing (CAIQ) is listed as a downloadable questionnaire. NOTE: CSA STAR Level 1 is a self-assessment via the CAIQ form, not an independent third-party certification (Level 2 would be third-party certified).”
Verify on security.wrike.com“TX-RAMP Level 1 listed in trust center compliance section. TX-RAMP Level 1 certificate available as a downloadable resource.”
> Show 4 unconfirmed / not-held certifications
source: security.wrike.comNo mention of FedRAMP in the trust center or any captured pages. Not listed among certifications.
source: security.wrike.comNo mention of PCI DSS in the trust center or any captured pages. Not listed among certifications.
source: security.wrike.comNo mention of ISO 42001 in the trust center. Wrike has an AI Ethics Policy and an 'AI security' controls section listed, but no ISO 42001 certification is claimed.
source: security.wrike.comNo mention of CSA STAR AI certification on vendor domain. Only CSA STAR Level 1 (general) self-assessment is held.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
US and EU data centers; customers can request region placement (US or EU)
Wrike is a data processor for Customer Data under GDPR. The ToS defines Wrike AI as generative AI that creates output 'based on Customer Data that Customer provides... as input to Wrike AI' (in-context use, not foundation-model training). Privacy Policy states: 'Wrike does not permit third-party providers engaged to provide transcription, storage, analytics, or AI-assisted services to use such data to train their own general-purpose AI models, except where expressly authorized by Wrike and permitted by applicable law and contract.' Customers are also explicitly barred from 'using Wrike AI to develop foundation models or other large-scale models that compete with Wrike or Wrike AI.' One flag: the Privacy Policy mentions 'internal training' in the context of AI-assisted processing of sales videoconferences and emails -- this is Wrike's own first-party business operations (not customer platform data), but the phrasing is slightly ambiguous. Wrike has published a separate AI Ethics Policy (available in the Trust Center). Wrike AI Output becomes Customer Data once submitted back to the Service.
// Security controls
Encryption in transit
Implied by 'Data encryption utilized' listed under product security controls in the Trust Center; TLS for data in transit is standard for Wrike's SaaS.
security.wrike.comEncryption at rest (customer-managed keys)
Wrike Lock add-on provides customer-owned AES-256 encryption key management for enterprise customers (data sovereignty option).
security.wrike.comPenetration testing
Wrike Platform Pentest Report 2025 is listed as a downloadable resource in the Trust Center. 'Penetration testing performed' listed under product security controls.
security.wrike.comAI security controls
Dedicated 'AI security' section in trust center controls, covering information security in supplier relationships, ICT supply chain management, and monitoring/change management. Wrike AI Ethics Policy is a published policy document.
security.wrike.comDisaster recovery and business continuity
'Continuity and Disaster Recovery plans established' and 'Continuity and Disaster Recovery plans tested' listed under internal security procedures controls.
security.wrike.comCybersecurity insurance
'Cybersecurity insurance maintained' listed under internal security procedures controls.
security.wrike.comVulnerability assessment / access controls
Trust center lists 200+ controls each in infrastructure, organizational, product, and internal security categories. Unique production database authentication, encryption key access restriction, and unique account authentication are explicitly highlighted.
security.wrike.com// Products & data scope
data: Operates on Customer Data within the Wrike platform: tasks, projects, forms, boards, inbox. AI dashboard highlights, AI in automation rules, AI in request forms, AI in work items (content creation, editing, summaries), AI mobile features, Board AI.
Included in mid-market and enterprise plans. Customer Data stays within the Wrike platform. Third-party LLM providers are sub-processors; cannot use data to train their own general-purpose models per Wrike policy.
data: All of AI Essentials plus Wrike Copilot (AI assistant), AI Agents (intake, routing, sprint management, approvals), AI widget creation, Whiteboard assistant.
Enterprise tier. AI Agents operate on Customer Data to automate multi-step workflows. Human control is maintained; AI outputs require human acceptance before submission to the Service.
data: Answers questions and summarizes work data within a customer's Wrike workspace (Customer Data in-context only).
Built into Wrike projects. Output is Customer Data once submitted. Does not train Wrike's underlying models on the workspace content.
data: Connects external AI assistants (e.g., Claude, other MCP-compatible clients) to a customer's Wrike workspace via the MCP protocol.
Extends Wrike AI surface to external AI tooling. Customer-authorized third-party AI assistants operate under the customer's Wrike permissions and Wrike's standard data handling posture.
// What to watch
- HIPAA assessment is Type 1 only (design of controls), freshly certified May 2026. Type 2 (operational effectiveness over time) has not yet been attained. PHI use still requires a signed BAA and is restricted to Wrike-designated service portions.
- CSA STAR Level 1 is a self-assessment (CAIQ questionnaire fill-in) -- not a third-party-certified Level 2. This should not be presented on par with ISO or SOC certifications.
- AI training posture for Wrike's OWN models is not explicitly addressed: Privacy Policy restricts third-party AI sub-processors from training on customer data, but does not explicitly state Wrike itself does not use Customer Data to train or fine-tune its AI models. Based on context (Wrike as data processor, no explicit training claim) the assessment grades trains_on_customer_data=false, but an advisor review is advisable for high-sensitivity procurement.
- Privacy Policy includes 'internal training' among permitted uses of AI-processed videoconferences and emails -- this applies to Wrike's own first-party sales/communications (not customer platform data) but the phrasing is ambiguous.
- No ISO 42001 (AI governance) certification despite having a published AI Ethics Policy and an AI security controls section in the trust center. This is a gap for AI-governance-focused procurement evaluators.
- Trust center (security.wrike.com) is JS-rendered; gated SOC 2 report, ISO certificates, pentest summary, and other documents require NDA/login to download -- not publicly accessible.
// At a glance
Pricing model
Subscription, per-user (Full and Limited User licenses); AI features split into AI Essentials (mid-tier) and AI Elite (enterprise/add-on). Business-only, not for consumers. Enterprise pricing requires Contact Sales.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Wrike, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
security.wrike.com