Draft for review. Wendel is pre-pilot. The controls described below reflect the company's current implementation; third-party attestations (SOC 2 Type II, ISO 27001) have not yet been issued because Wendel has not yet been operational long enough to qualify for the relevant audit windows.
Wendel, Inc.

Security Overview

Effective: May 14, 2026Last revised: May 14, 2026Version: 0.1 (draft)

§1Overview and Scope

This Security Overview (this "Overview") describes the administrative, physical, and technical safeguards implemented by Wendel, Inc. ("Wendel") to protect School Data Processed in connection with the Wendel platform (the "Services"). It applies to all production components of the Services, including application servers, databases, object storage, edge caches, and the operational tooling used to manage the foregoing. This Overview is incorporated by reference into the Wendel Privacy Policy and, where executed, the applicable data-processing agreement (each, a "DPA").

§2Information-Security Governance

Wendel maintains a written information-security program (the "Program") aligned with the National Institute of Standards and Technology Cybersecurity Framework (CSF) 2.0 and informed by the controls catalog of ISO/IEC 27001:2022. The Program is reviewed by Wendel's leadership not less than annually and following any material change to the Services or any Security Incident. Wendel designates a Chief Security Officer (or equivalent) accountable for the Program; pending appointment, the founding engineering lead serves in that capacity.

§3Personnel Security

  1. All Wendel personnel with access to production systems are subject to a documented background check prior to commencement of duties, to the extent permitted by applicable law.
  2. All personnel execute confidentiality undertakings and acknowledge the Acceptable Use Policy as a condition of employment or engagement.
  3. Personnel complete mandatory information-security and privacy training upon onboarding and at least annually thereafter; completion is tracked.
  4. Access to production systems is revoked within twenty-four (24) hours of separation from Wendel or upon a documented change in role.

§4Access Control and Authentication

Access to production systems is granted on the principles of least privilege and need-to-know. All administrative and engineering access requires multi-factor authentication (MFA) using FIDO2 hardware security keys or equivalent phishing-resistant authenticators. Shared credentials are prohibited; every action is attributable to a specific named identity.

End Users authenticate to the Services through the School's configured identity provider (typically Google Workspace for Education or Microsoft Entra ID) or through Wendel-issued credentials secured with bcrypt password hashing (cost factor 12 or greater) and rate-limited login attempts.

§5Tenant Isolation

Each School constitutes a separate logical tenant within the Services. All database queries are scoped through a tenant-aware query layer that resolves the requesting End User's School identifier prior to execution, such that a request originating from one tenant cannot return data belonging to another tenant under any circumstance. The tenant scope is enforced both at the application layer and through row-level-security policies on the underlying PostgreSQL database. Automated tests verify tenant isolation as part of the continuous-integration pipeline.

§6Cryptography and Key Management

School Data is encrypted in transit using Transport Layer Security version 1.2 or later, with cipher suites limited to those rated "recommended" by the Mozilla SSL Configuration Generator. All certificates are issued by a publicly trusted certificate authority and rotated automatically at least ninety (90) days prior to expiration.

School Data is encrypted at rest using the Advanced Encryption Standard with 256-bit keys (AES-256). Cryptographic keys are managed by Wendel's managed infrastructure provider using FIPS 140-2 validated hardware-security modules. Application-level secrets (such as API tokens and database credentials) are stored in a dedicated secrets-management system with access logged and audited.

§7Network Security and Hardening

Production infrastructure is segmented from corporate networks and from non-production environments. Public ingress to production is limited to (a) TLS-terminating load balancers and (b) the application's public HTTP endpoints. Direct ingress to databases, object stores, or compute instances from the public internet is denied at the network-firewall layer. Outbound network traffic from production is restricted to a documented allow-list of Subprocessor endpoints.

§8Application-Layer Security

  1. All session cookies are issued with the HttpOnly, Secure, and SameSite=Lax attributes.
  2. Cross-Site Request Forgery (CSRF) protections are applied to all state-mutating endpoints.
  3. A Content-Security Policy header is set on all responses to restrict script sources to Wendel-controlled origins.
  4. Input validation is performed at the application layer using strict schemas; parameterized queries are used exclusively at the database layer.
  5. Rate-limiting is applied to authentication, attendance check-in, and rotating-QR-code generation endpoints to mitigate enumeration and abuse.

§9Vulnerability Management and Patching

Wendel monitors first-party and third-party dependencies for known vulnerabilities through automated dependency scanning and the National Vulnerability Database. Critical-severity vulnerabilities in production components are remediated within seven (7) days of discovery; high-severity vulnerabilities within thirty (30) days; medium-severity within ninety (90) days, in each case subject to availability of a vendor-supplied fix.

Annual third-party penetration testing is conducted against the production environment. The most recent report is made available to Schools under DPA upon written request subject to a customary confidentiality undertaking.

§10Logging, Monitoring, and Audit

Wendel maintains structured, immutable, append-only audit logs of (a) all access to Personal Information by Wendel personnel; (b) all administrative actions taken within a School's tenant; (c) all authentication events; and (d) all changes to access rights. Logs are retained for a minimum of one (1) year and are monitored continuously for anomalies. Schools may request a copy of their tenant's audit log at any time.

§11Secure Software-Development Lifecycle

  1. All code changes are reviewed by at least one engineer other than the author prior to merge to the main branch.
  2. Continuous integration runs static-analysis and dependency-vulnerability checks on every pull request.
  3. Production deployments are performed exclusively through an automated continuous-deployment pipeline; manual deployment to production is prohibited absent a documented break-glass procedure.
  4. Feature flags are used to roll out high-risk changes incrementally; rollbacks are achievable within minutes.
  5. Threat modeling is performed for any new feature that introduces a new data-flow or trust boundary.

§12Security-Incident Response

Wendel maintains a documented incident-response plan with defined roles, escalation paths, and communication templates. A 24×7 on-call rotation is staffed by Wendel engineering. Upon confirmation of a Security Incident affecting an identifiable School's End Users, Wendel will notify the affected School without undue delay and in any event no later than seventy-two (72) hours after confirmation, in accordance with the notification commitments set forth in Section 17 of the Privacy Policy and the applicable DPA.

§13Business Continuity and Disaster Recovery

Wendel maintains a documented business-continuity and disaster-recovery plan with a recovery-time objective (RTO) of four (4) hours and a recovery-point objective (RPO) of fifteen (15) minutes for production data stores. Backups of production databases are taken continuously through write-ahead-log shipping and are retained for a minimum of thirty (30) days. Restore procedures are tested at least annually and following any material change to the production architecture.

§14Subprocessor Due Diligence

Wendel performs a security due-diligence review of every Subprocessor prior to engagement. Subprocessors must (a) hold an industry-recognized security attestation (SOC 2 Type II, ISO/IEC 27001, or equivalent); (b) bind themselves contractually to obligations no less protective than those that apply to Wendel under the applicable DPA; and (c) commit to notifying Wendel promptly of any Security Incident. Subprocessors are reviewed at least annually. The current Subprocessor list is published in Section 13of the Privacy Policy.

§15Physical and Environmental Controls

Wendel does not operate its own data centers. Physical and environmental controls for production infrastructure are inherited from Wendel's managed-infrastructure Subprocessors, each of which maintains a SOC 2 Type II or equivalent attestation. Wendel personnel are prohibited from storing Personal Information on unmanaged endpoints or removable media.

§16Asset and Endpoint Management

All Wendel-issued endpoints with access to production systems are enrolled in a mobile-device-management solution that enforces (a) full-disk encryption; (b) screen-lock with a maximum unlock interval of fifteen (15) minutes; (c) automatic OS-level security updates; and (d) endpoint-detection and response (EDR) tooling. Personally owned endpoints are not permitted to access production systems absent an explicit, documented exception approved by the Chief Security Officer.

§17Data Handling and Classification

Wendel classifies data into three tiers: (a) Restricted - School Data, Education Records, and credentials; (b) Internal- operational metrics, application logs without Personal Information, and internal business records; and (c) Public - marketing content, public documentation. Storage, access, and transmission controls are applied commensurate with classification; Restricted data is encrypted in transit and at rest at all times and is subject to the access-control protections set forth in Section 4.

§18Audits, Certifications, and Third-Party Assessments

Wendel intends to commission an independent third-party SOC 2 Type II examination once it satisfies the applicable audit-readiness thresholds (typically twelve (12) months of operational history with the controls in effect). Pending the availability of a SOC 2 Type II report, Wendel will provide, upon written request and subject to a customary confidentiality undertaking:

  1. Wendel's written information-security policies;
  2. the most recent third-party penetration-test summary;
  3. the current Subprocessor list with each Subprocessor's compliance certifications; and
  4. a written response to a reasonable security questionnaire submitted by the School.

§19Coordinated Vulnerability Disclosure

Wendel welcomes good-faith reports of security vulnerabilities affecting the Services. Reports should be submitted to security@trywendel.com. Wendel will acknowledge receipt within three (3) business days and provide a status update within fourteen (14) days. Wendel will not pursue legal action against any researcher who reports a vulnerability in good faith, avoids privacy violations and degradation of the Services, and provides Wendel a reasonable opportunity to remediate prior to public disclosure.

§20Contact

Security inquiries should be directed to security@trywendel.com. Encryption keys for confidential communication are available upon request.
Wendel, Inc.
Attn: Security
[Mailing address to be provided to Schools upon execution of a DPA]