Compliance posture

Caution

This page reflects Wicket’s posture as of May 2026. For the latest certifications or a security review packet, contact security@wicket.sh.

SOC 2

Wicket is currently working toward SOC 2 Type II. A Type I report is in progress. Contact us if your procurement process requires a current report — we can share our controls documentation under NDA.

Data processed

Wicket processes:

• Email addresses — for magic link authentication and member invites
• OAuth tokens — stored encrypted (AES-GCM) in PostgreSQL, scoped per member
• Audit log entries — tool names, decisions, and tool arguments for every MCP call
• Session data — short-lived (10-minute TTL) session cookies for dashboard access

Wicket does not store:

• Member keys (shown once, then discarded)
• Plaintext OAuth tokens (encrypted immediately on receipt)
• Full request/response bodies from upstream MCP servers (only structured audit fields)

Data residency

Wicket is hosted in the US (Newark) by default; all customer data is stored in-region. EU residency (Amsterdam or Frankfurt) is available on enterprise plans — contact us.

Audit log retention

Audit entries are retained indefinitely by default — no automatic purge runs. If your compliance policy requires bounded retention, export entries to CSV via GET /api/audit/export for your archive; custom retention schedules are available on request.

Encryption at rest

All platform data is encrypted at rest. OAuth tokens carry an additional application-layer AES-GCM encryption keyed to each member’s key (see Threat model for the full credential security model).

Penetration testing

Wicket undergoes periodic penetration testing. Results are available to enterprise customers under NDA. Contact security@wicket.sh.