1. Executive Summary

Wistery Platform delivers enterprise-grade data intelligence solutions with security at its foundation. As an ISO 27001 certified organization, we maintain rigorous information security management practices across our entire product ecosystem, ensuring that customer data receives protection commensurate with its business value.

Our pure SaaS deployment model eliminates the security complexities and vulnerabilities inherent in on-premises or hybrid architectures. By operating exclusively on trusted cloud infrastructure, we leverage enterprise-class security controls that would be prohibitively expensive for individual organizations to implement and maintain. This approach allows us to focus on continuous security improvement rather than infrastructure management.

Wistery's security posture rests on several core principles:

Defense in Depth: Multiple layers of security controls protect data throughout its lifecycle, from collection through analysis to deletion. Network segmentation, encryption, authentication, and comprehensive logging work in concert to minimize risk.

Transparency and Accountability: We maintain detailed audit trails, conduct regular security assessments, and communicate openly with customers about our security practices and any incidents that may affect their data.

Compliance by Design: Our ISO 27001 certification reflects systematic alignment with internationally recognized security standards. Security policies, procedures, and controls undergo continuous monitoring and improvement through regular audits.

Shared Responsibility: While we secure the platform infrastructure and application layers, we recognize that effective security requires partnership. This whitepaper clarifies which security responsibilities Wistery manages and which areas require customer attention.

This document provides detailed information about Wistery's security architecture, data protection measures, operational controls, and compliance frameworks. It addresses the needs of security professionals conducting vendor assessments, compliance officers evaluating regulatory alignment, and executives making platform adoption decisions.


2. Security Governance & Compliance

ISO 27001 Certification

Wistery maintains ISO 27001 certification, demonstrating systematic compliance with internationally recognized information security standards. This certification validates that our Information Security Management System (ISMS) meets rigorous requirements for identifying, assessing, and managing security risks across the organization.

ISO 27001 certification requires continuous alignment between security policies, operational practices, and documented procedures. External auditors independently verify our controls across 14 security domains, including access management, cryptography, physical security, incident response, and business continuity. This third-party validation provides customers with assurance that Wistery's security claims reflect actual implemented controls, not aspirational goals.

Our certification scope encompasses all systems, processes, and personnel involved in delivering Wistery Platform services, including data collection infrastructure (ScrapeMonk), data processing pipelines (TidyMonk), product matching capabilities (MatchMonk), and analytics capabilities (PriceMonk). This comprehensive scope ensures consistent security practices across our entire product ecosystem.

Security Policies and Procedures

Wistery maintains documented security policies covering all aspects of information security management. These policies establish organization-wide requirements for data protection, access control, network security, incident response, and vendor management. Each policy undergoes annual review and updates to address emerging threats, evolving compliance requirements, and lessons learned from security assessments.

Supporting procedures translate policy requirements into operational practices. Staff members receive training on relevant security procedures during onboarding and through ongoing awareness programs. Security procedures cover authentication requirements, data handling standards, change management protocols, and incident reporting obligations.

The governance framework assigns clear accountability for security outcomes. Executive leadership maintains oversight through regular security reviews. Dedicated security personnel implement and monitor controls. All staff members bear responsibility for following security policies and reporting potential security issues.

Audits and Continuous Improvement

ISO 27001 certification requires both internal and external audits. Wistery conducts internal audits regularly to verify control effectiveness and identify improvement opportunities. Annual external surveillance audits by accredited certification bodies validate continued compliance with ISO 27001 requirements.

Audit findings drive continuous security improvements. We track corrective actions through completion and implement preventive measures to address systemic issues. Security metrics provide ongoing visibility into control effectiveness, vulnerability trends, and incident patterns.

The ISMS operates on a Plan-Do-Check-Act cycle, ensuring security practices evolve as the threat landscape changes. Regular risk assessments identify new threats requiring additional controls. Security assessments, penetration testing, and threat intelligence inform ongoing improvements to our security posture.


3. Infrastructure Security

AWS-Based Architecture

Wistery Platform operates on Amazon Web Services (AWS) infrastructure, using AWS services for compute, storage, database, and networking capabilities. This cloud-native architecture provides enterprise-grade security controls, redundancy, and compliance certifications that would be impractical for most organizations to implement independently.

Core infrastructure components include:

  • Compute: Amazon ECS (Elastic Container Service) hosts containerized application workloads, providing process isolation and resource management. Container images undergo security scanning before deployment.
  • Database: Amazon RDS (Relational Database Service) manages PostgreSQL databases with automated backups, encryption capabilities, and high availability configurations. Database access requires authentication and operates over encrypted connections.
  • Storage: Amazon S3 provides object storage for files, exports, and data processing artifacts. S3 buckets implement access policies limiting exposure to authorized services and users.
  • Key Management: AWS Key Management Service (KMS) manages encryption keys used for data protection. Keys remain under AWS control with Wistery having usage rights but not extraction capabilities.

AWS maintains extensive compliance certifications including SOC 1/2/3, ISO 27001, PCI DSS, and numerous regional and industry-specific standards. These certifications apply to the infrastructure layer, providing a strong foundation for Wistery's security controls.

Network Segmentation and Access Controls

Network architecture implements defense-in-depth through multiple security layers. Public-facing services operate in isolated network segments with controlled ingress and egress rules. Backend services reside in private subnets without direct internet exposure, accessible only through authenticated channels.

AWS Security Groups function as virtual firewalls, restricting network traffic to authorized protocols and sources. Database instances accept connections only from application servers, never directly from the internet. Administrative access requires VPN connectivity and multi-factor authentication.

Network traffic between AWS services uses private AWS networking where possible, avoiding exposure to the public internet. Communications between regions use AWS backbone infrastructure rather than traversing public networks.

Infrastructure Monitoring and Protection

AWS provides comprehensive infrastructure monitoring through CloudWatch and related services. Wistery monitors system metrics, application logs, and security events to detect anomalies and potential security issues. Automated alerts notify appropriate personnel when metrics exceed defined thresholds or suspicious patterns emerge.

AWS infrastructure includes distributed denial-of-service (DDoS) protection through AWS Shield, mitigating common network and transport layer attacks automatically. Additional AWS security services provide threat detection and compliance monitoring at the infrastructure level.

Specialized Worker Infrastructure

ScrapeMonk, Wistery's web data collection service, operates dedicated worker infrastructure on Hetzner Cloud. This architectural separation serves two purposes: cost optimization for compute-intensive workloads and security isolation for processing public web data.

Hetzner workers handle only publicly available data from e-commerce websites. These workers do not process customer proprietary data or access core Wistery databases. Communication between Hetzner workers and AWS-hosted services occurs over encrypted channels with authentication requirements.

Worker infrastructure implements similar security principles as AWS environments: network segmentation, access controls, monitoring, and encryption. The separation of worker infrastructure from core platform services provides an additional trust boundary, limiting potential impact if scraping infrastructure were compromised.


4. Security Architecture

Multi-Product Security Model

Wistery's product ecosystem consists of four integrated services: ScrapeMonk (data collection), TidyMonk (data processing), MatchMonk (product matching), and Wistery Platform (analytics and workflows). Each service implements security controls appropriate to its function while maintaining consistent security standards across the ecosystem.

This modular architecture provides security advantages through separation of concerns. Data collection infrastructure operates independently from analytical systems. Processing pipelines handle data transformation in isolated environments. Each service maintains dedicated databases, limiting the scope of any potential compromise to a single component rather than the entire platform.

Authentication and authorization controls operate consistently across services. Users authenticate once through Wistery Platform and receive tokens valid across the ecosystem. Role-based access controls determine which datasets and operations each user may access. API communications between services require authentication, preventing unauthorized inter-service requests.

Trust Boundaries and Data Flow Security

The primary trust boundary exists at ScrapeMonk, where external untrusted web data enters the Wistery ecosystem. ScrapeMonk processes raw HTML and unstructured web content into clean, tabular datasets containing structured product information with defined attributes. This transformation occurs within ScrapeMonk's isolated infrastructure, converting potentially malicious or malformed external data into validated, structured records.

Once ScrapeMonk produces structured datasets, this cleaned data flows to other services based on customer workflows. Data may move directly to Wistery Platform for analysis, through TidyMonk for additional processing, or to MatchMonk for product matching operations. The flexible architecture supports various data pipeline configurations while maintaining security controls at each integration point.

Data transfer between services occurs over encrypted channels. API endpoints require authentication tokens issued by the central authentication system. Services verify token validity before processing requests, ensuring that even compromised credentials for one service do not automatically grant access to others.

Customer data remains segregated through multi-tenancy controls. Database row-level security ensures customers access only their own data. API calls include tenant context, preventing unauthorized cross-tenant data access. This segregation applies across all products in the ecosystem.

Ecosystem Security Posture

The distributed architecture requires coordinated security management. Security policies apply uniformly across all products. Vulnerability scanning covers the entire codebase. Penetration testing evaluates not just individual services but also inter-service communication patterns and authentication flows.

Monitoring and logging span the ecosystem. Security events from any service flow into centralized logging infrastructure, with Sentry providing error tracking and performance monitoring across all services. This unified view enables detection of attack patterns that might span multiple services, such as reconnaissance activities followed by targeted attacks on specific components.

Incident response procedures account for the distributed nature of the platform. Security teams can isolate compromised services while maintaining operation of unaffected components. This resilience ensures that security incidents have minimal impact on customer operations.


5. Data Protection & Encryption

Encryption in Transit

All network communications use encryption to protect data from interception and tampering. Client applications communicate with Wistery services exclusively over HTTPS using TLS 1.2 or higher. This encryption applies to web browsers, API clients, mobile applications, and all other access methods.

TLS certificates issued by trusted certificate authorities validate server identity, preventing man-in-the-middle attacks. Modern cipher suites provide forward secrecy, ensuring that compromise of long-term keys does not compromise past session data. Wistery enforces HTTPS connections and redirects HTTP requests to secure endpoints.

Inter-service communication within the Wistery ecosystem uses encrypted channels. Services authenticate each other using API tokens transmitted over TLS connections. Database connections from application servers to RDS instances use SSL/TLS encryption, protecting data traversing AWS internal networks.

Data transfers to and from customer environments, including file uploads and exports, occur over encrypted connections. API integrations, webhooks, and custom connections all require TLS encryption. Wistery does not support unencrypted data transmission for any production use case.

Encryption at Rest

AWS provides encryption capabilities for data stored in RDS databases and S3 object storage. These encryption features protect data on physical storage media, mitigating risks from hardware theft, improper disposal, or unauthorized physical access to AWS data centers.

Amazon RDS supports encryption for database storage, including all database instances, automated backups, read replicas, and snapshots. Encryption uses industry-standard AES-256 encryption algorithms. Database encryption operates transparently to applications, requiring no changes to queries or application logic.

Amazon S3 provides server-side encryption for stored objects. Files, exports, and data processing artifacts receive encryption protection when stored in S3 buckets. Encryption occurs automatically as data writes to storage and decryption occurs transparently when authorized services retrieve objects.

Wistery leverages AWS encryption capabilities rather than implementing custom encryption layers. This approach ensures encryption benefits from AWS security engineering, regular security updates, and integration with AWS compliance programs. AWS operates encryption infrastructure at scale, providing reliability and performance that would be difficult to match with custom implementations.

Key Management

AWS Key Management Service (KMS) manages encryption keys used for data protection. KMS provides centralized key management with audit logging of all key usage. Encryption keys remain within AWS KMS infrastructure; Wistery services can use keys for encryption and decryption operations but cannot extract key material.

KMS integrates with RDS and S3, managing keys used for database and object storage encryption. AWS handles key rotation, backup, and high availability. KMS maintains audit logs showing when keys were used, by which service, and for what operations, providing visibility into encryption key usage patterns.


6. Data Lifecycle & Privacy

Data Classification and Handling

Wistery processes primarily business-sensitive data, including product catalogs, pricing information, competitive intelligence, and market analysis. Depending on customer use cases, data may include personally identifiable information (PII) such as customer contact details or transaction records. Data classification drives handling requirements, access controls, and retention policies.

Business-sensitive data receives protection appropriate to its value. Access controls limit data visibility to authorized users within customer organizations. Audit logging tracks data access patterns. Export controls restrict bulk data downloads to users with appropriate permissions.

When customer data includes PII, Wistery applies additional controls aligned with data protection regulations. Processing occurs under data processing agreements (DPAs) that define Wistery's obligations as a data processor. Customers retain data controller responsibilities, including determining lawful basis for processing and managing data subject rights.

Data Residency Options

Wistery supports data residency requirements for customers subject to European Union data protection regulations. EU customers can request that their data remain within AWS regions located in the European Union, ensuring compliance with data localization requirements under GDPR and similar regulations.

Data residency configurations maintain all customer data, including databases, file storage, and backups, within specified geographic boundaries. Applications and services operate in the same regions as customer data, preventing cross-border data transfers during normal operations.

Backup and Disaster Recovery

Wistery implements a three-copy backup strategy to protect against data loss. Customer data exists in the primary production database, in automated continuous backups, and in geographically separated backup copies. This approach protects against system failures, regional outages, and operational errors.

AWS RDS automated backups create continuous backup streams stored separately from primary databases. Additionally, periodic snapshots replicate to geographically distant AWS regions, protecting against regional disasters. Backup copies reside in different availability zones and regions than production systems.

Separation of duties prevents any single individual from accessing or destroying all backup copies. Administrative procedures require multiple approvals for backup deletion operations. AWS infrastructure controls limit access to backup systems independently from production system access.

Disaster recovery procedures, maintained as part of ISO 27001 requirements, define recovery time objectives (RTO) and recovery point objectives (RPO) for various failure scenarios. Regular testing validates the ability to restore operations from backup copies.

Data Retention and Deletion

Data retention policies define how long Wistery retains customer data. Active customer data remains available throughout the customer relationship. Upon customer request or contract termination, Wistery deletes customer data according to defined schedules.

Customers exercise the right to deletion for their data, consistent with GDPR requirements. Deletion requests trigger secure deletion procedures across all systems, including production databases, backups, and archived data. AWS secure deletion procedures ensure deleted data cannot be recovered from underlying storage systems.


7. Application Security

Secure Development Lifecycle

Wistery integrates security throughout the software development lifecycle, from design through deployment and maintenance. Security requirements inform feature design. Code reviews evaluate security implications of changes. Automated testing validates security controls. This approach, often called "shift-left security," identifies and addresses security issues early when remediation costs less and poses lower risk.

Development teams follow secure coding practices aligned with industry standards. Code must pass security reviews before merging to production branches. Peer review processes catch common vulnerabilities such as injection flaws, authentication bypasses, and authorization errors. Automated tools supplement human review, identifying security issues that might escape manual inspection.

Deployment processes include security validations. Container images undergo security scanning before deployment to production environments. Infrastructure changes follow change management procedures that evaluate security implications. Production deployments require approval from authorized personnel, preventing unauthorized code from reaching customer-facing systems.

Dependency and Vulnerability Management

Modern applications depend on numerous third-party libraries and frameworks. Wistery monitors dependencies for known security vulnerabilities through automated scanning tools. These tools compare project dependencies against vulnerability databases, identifying components with published security issues.

Dependency scanning occurs automatically during development and deployment processes. New vulnerabilities in existing dependencies trigger alerts for security team review. Critical vulnerabilities receive immediate attention, with patches or workarounds implemented according to severity-based timelines. Lower-severity issues enter the backlog for scheduled remediation.

The development team maintains currency with framework and library updates. Regular dependency updates reduce the accumulation of technical debt and security vulnerabilities. Automated tools assist with identifying available updates and testing compatibility with existing code.

Penetration Testing Program

Wistery conducts regular security assessments to identify vulnerabilities that automated tools might miss. These assessments evaluate the security of applications, APIs, and infrastructure from an attacker's perspective. Testing identifies vulnerabilities, validates security control effectiveness, and provides actionable remediation guidance.

Security assessments cover common vulnerability categories including injection flaws, authentication weaknesses, authorization bypasses, cryptographic failures, and configuration errors. Testing methodology follows industry-standard frameworks such as OWASP, ensuring comprehensive coverage of potential security issues.

Assessment findings drive security improvements. High-severity issues receive immediate remediation. Findings inform security training, highlighting vulnerability patterns that developers should avoid. Remediation verification confirms that fixes effectively address identified issues without introducing new problems.

Authentication and Access Control

Wistery uses Auth0 as the authentication provider, leveraging a purpose-built identity platform rather than implementing custom authentication systems. Auth0 provides enterprise-grade authentication with security features including anomaly detection, breach password detection, and bot protection.

Users authenticate with username and password credentials. Multi-factor authentication (MFA) provides additional security beyond passwords alone. Wistery requires MFA for all user accounts, preventing password-only authentication from providing access to the platform.

Enterprise customers access additional authentication options including single sign-on (SSO) integration. Google SSO provides convenient authentication for organizations using Google Workspace. Enterprise SSO allows integration with customer identity providers using SAML or OpenID Connect protocols, enabling customers to enforce their own authentication policies and maintain centralized user management.

Role-based access control (RBAC) determines what authenticated users can do within the platform. Administrators define roles with specific permissions. Users receive role assignments determining their access to features, data, and administrative functions. RBAC granularity allows customers to implement least-privilege access policies appropriate to their organizational structure.

API and Integration Security

Wistery provides multiple integration methods including REST APIs, webhooks, and custom connections. All integration methods require authentication. API clients authenticate using tokens that identify the calling user or service. Token-based authentication allows secure integration without sharing passwords.

API security controls include rate limiting to prevent abuse, input validation to reject malformed requests, and output encoding to prevent injection attacks in API responses. API endpoints enforce the same authorization rules as the web interface, ensuring consistent access controls regardless of access method.

Webhook deliveries include signatures allowing recipients to verify message authenticity. Custom integrations follow the same security standards as standard APIs, ensuring consistent security posture across all access methods.


8. Operational Security

Security Monitoring and Logging

Wistery maintains comprehensive audit logging across all systems and services. Logs capture authentication events, data access operations, administrative actions, and system changes. This logging provides visibility into platform activity, supporting security investigations, compliance audits, and operational troubleshooting.

Application logs, system logs, and security events flow to centralized logging infrastructure. Log aggregation enables correlation of events across multiple services, helping identify patterns that might indicate security issues. Logs include sufficient context to understand who performed what action, when, and from where.

Automated monitoring analyzes logs for security-relevant events. Alert rules identify suspicious patterns such as repeated authentication failures, unusual data access patterns, privilege escalations, and configuration changes. Alerts notify appropriate personnel based on event severity and type.

AWS infrastructure monitoring supplements application-level logging. AWS CloudWatch tracks system metrics, resource utilization, and infrastructure events. AWS security services monitor for infrastructure-level security issues including unauthorized API calls, unusual network traffic, and configuration changes that weaken security posture.

Sentry provides error tracking and performance monitoring across all services, capturing application errors, exceptions, and performance anomalies. This visibility helps identify potential security issues manifesting as application errors or performance degradation.

Log retention policies balance security investigation needs with storage costs and data minimization principles. Security-relevant logs remain available for sufficient periods to support incident investigation and compliance requirements.

Incident Response Procedures

Wistery maintains documented incident response procedures defining how the organization detects, analyzes, contains, and recovers from security incidents. These procedures assign roles and responsibilities, establish communication channels, and provide playbooks for common incident types.

Incident response begins with detection through monitoring alerts, security tool findings, or reports from staff or customers. Initial triage determines incident severity and assigns response resources. Investigation establishes the scope, timeline, and impact of the incident. Containment actions limit damage while investigators gather evidence. Eradication removes the threat and closes vulnerabilities. Recovery restores normal operations. Post-incident review identifies lessons learned and drives improvements to prevent recurrence.

Customer Notification Protocols

Wistery commits to transparency in security incident communication. When security incidents affect customer data or service availability, Wistery notifies affected customers according to defined protocols. Notification timing balances the need for timely information with the need for accurate assessment of impact.

Customer notifications describe the incident nature, affected data or systems, Wistery's response actions, and any actions customers should take. Wistery provides updates as investigations progress and follows up with final incident reports describing root causes and remediation measures.

This transparency commitment extends to regulatory breach notifications when incidents meet reporting thresholds under GDPR or other applicable regulations.

Security Training and Awareness

All Wistery staff receive security training appropriate to their roles. Training covers security policies, data handling requirements, password management, phishing recognition, and incident reporting. Developers receive additional training on secure coding practices and common vulnerability patterns.

Security awareness remains an ongoing priority. Regular communications highlight emerging threats, share security tips, and reinforce the importance of security-conscious behavior. Security becomes part of organizational culture rather than a periodic compliance exercise.


9. Third-Party Security

Vendor Security Assessment

Wistery evaluates the security posture of third-party vendors before engagement and monitors vendor security throughout the relationship. Vendor assessment considers the sensitivity of data the vendor will access, the criticality of services they provide, and their integration depth with Wistery systems.

Assessment processes include reviewing vendor security documentation, evaluating compliance certifications, and examining security policies and procedures. Critical vendors undergo more extensive evaluation including security questionnaires, audit report review, and contractual security requirements.

Ongoing vendor management includes monitoring for security incidents affecting vendors, reviewing updated compliance certifications, and assessing security implications of changes to vendor services. This continuous assessment ensures vendor security remains adequate as threats evolve and vendor capabilities change.

Subprocessor Transparency

Wistery maintains transparency regarding subprocessors that may access or process customer data. Customers receive disclosure of key subprocessors and their roles in service delivery. This transparency enables customers to assess subprocessor risk as part of their vendor management processes.

Data processing agreements (DPAs) with customers include subprocessor provisions consistent with GDPR requirements. Wistery notifies customers of subprocessor changes, providing opportunity to object when such changes affect data processing activities.

Key Third-Party Services

Amazon Web Services (AWS) provides core infrastructure including compute, storage, database, and networking services. AWS maintains extensive compliance certifications including SOC 2, ISO 27001, and numerous industry-specific standards. AWS operates under the shared responsibility model, securing infrastructure while Wistery secures applications and data.

Auth0 provides authentication services, managing user credentials and authentication flows. Auth0 maintains SOC 2 Type II certification and compliance with data protection regulations including GDPR.

Hetzner Cloud hosts ScrapeMonk worker infrastructure for web data collection. Hetzner provides European data center locations and maintains ISO 27001 certification.

LLM Providers including Anthropic (Claude), OpenAI (GPT models), and Google (Gemini) power AI-driven data extraction capabilities in ScrapeMonk. These providers maintain enterprise security controls and compliance certifications appropriate to their services. Data sent to LLM providers consists of publicly available web content rather than customer proprietary information.


10. Customer Responsibilities

Shared Security Model

Security in SaaS environments operates on a shared responsibility model. Wistery secures the platform infrastructure, application code, and underlying systems. Customers bear responsibility for how they use the platform, who they grant access to, and how they configure security settings within their account.

This division of responsibilities ensures appropriate control at each level. Wistery maintains expertise in platform security, operating systems, networks, and application security. Customers maintain expertise in their business processes, organizational structure, and data sensitivity requirements.

Customer Security Best Practices

Customers enhance their security posture through several practices:

Strong Password Policies: Enforce password complexity requirements within customer organizations. Require password changes following employee departures or suspected credential compromise. Avoid password reuse across different services.

MFA Enrollment: Ensure all users enable multi-factor authentication. MFA provides significant protection against credential theft and phishing attacks. Monitor MFA enrollment rates and follow up with users who have not enabled MFA.

Access Control Management: Review user access permissions regularly. Remove access for departed employees promptly. Grant users only the permissions necessary for their roles. Avoid sharing credentials among multiple users.

Security Configuration: Review and configure available security settings according to organizational requirements. Enable available audit logging. Configure data retention policies. Review and approve integration configurations before deployment.

Security Awareness: Train users to recognize phishing attempts and social engineering attacks. Establish clear procedures for reporting suspicious emails or activities. Foster a culture where security concerns receive prompt attention.


11. Continuous Improvement

Commitment to Evolving Security

Security threats evolve continuously as attackers develop new techniques and discover new vulnerabilities. Wistery's security posture must evolve correspondingly to address emerging risks. This commitment to continuous improvement ensures that security controls remain effective against current threats rather than becoming obsolete.

Security improvements draw from multiple sources: audit findings, penetration test results, vulnerability assessments, incident lessons learned, and threat intelligence. Each source provides insight into areas requiring enhancement. Wistery prioritizes improvements based on risk severity and potential impact.

Ongoing Security Investment

Wistery invests in security capabilities that enhance platform protection and customer confidence. Investments span technology, personnel, processes, and training. Security tooling evolves to incorporate new detection capabilities and automation. Staff security skills develop through training and professional development. Processes improve based on operational experience and industry best practices.

Regular security assessments provide independent validation of security controls. These assessments identify gaps requiring remediation and validate that implemented controls function as intended. Assessment results inform security roadmap priorities and investment decisions.

ISO 27001 Continuous Improvement

ISO 27001 certification requires systematic continuous improvement through the Plan-Do-Check-Act cycle. This framework ensures security management remains dynamic rather than static. Regular management reviews evaluate security metrics, assess control effectiveness, and identify improvement opportunities.

Wistery conducts internal security audits regularly, examining different aspects of the security management system. Annual external surveillance audits by accredited certification bodies validate continued ISO 27001 compliance. Both audit types generate findings that drive specific improvements. Corrective action tracking ensures findings receive appropriate resolution.


Contact Information

Security Contact: For security-related inquiries, vulnerability reports, or security incident notifications, contact security@wistery.io

Support Contact: For general platform support, technical assistance, or account questions, contact support@wistery.io

Compliance Inquiries: For compliance documentation, audit requests, data processing agreements, or regulatory inquiries, contact compliance@wistery.io