Trust & Security

Wentzel Investments LLC (trading as Wentzel.ai) builds and operates a portfolio of specialized SaaS platforms for regulated industries. Protecting the confidentiality, integrity, and availability of the data you entrust to us is a core obligation — not a feature.

This page describes our current security posture, the status of our formal certification programme, how we handle your data, the sub-processors we rely on, and how to reach us if you discover a potential vulnerability.

Wentzel Investments LLC is actively pursuing SOC 2 Type II certification under the AICPA Trust Services Criteria. Our SOC 2 audit programme is currently in progress.

We do not hold a SOC 2 Type II report at this time. We describe our posture as audit-ready and in-progress — not certified. We will post a link to the report (or a summary for prospects under NDA) on this page when the attestation is complete.

We expect to complete our SOC 2 Type II audit in 2027.

Our production workloads run primarily on Cloudflare Workers, with Cloudflare D1 (SQLite) for structured data and Cloudflare R2 for object storage. Regulated healthcare pathways, batch genomics pipelines, and transactional email run on Amazon Web Services (SES, S3, Batch, Secrets Manager). Select products use Neon (managed Postgres) during migration.

All data in transit is encrypted with TLS 1.2 or higher. Data at rest is encrypted by the storage platform (AES-256). Production systems follow least-privilege access; employee access is reviewed quarterly. We enforce per-product database isolation so one product's data is never accessible from another product's runtime.

We process personal data only to deliver the services you have requested, to keep them secure, and to comply with legal obligations. We do not sell personal data, and we do not use customer content to train shared or third-party models.

Data is retained for as long as your account is active or as needed to meet legal and audit-evidence obligations. Following account termination we make customer data available for export for 30 days, after which we delete it unless required to retain it by law.

We engage the following sub-processors to deliver platform services. All sub-processors are under contract requiring appropriate confidentiality and security measures.

If you believe you have found a security vulnerability in any Wentzel platform product, please report it responsibly. We will acknowledge your report within two business days and aim to resolve confirmed issues within 30 days, depending on severity.

Please do not publicly disclose a vulnerability before we have had the opportunity to investigate and remediate. We do not currently operate a formal bug-bounty programme, but we will acknowledge researchers who responsibly disclose valid findings.