Patchstack Logo

Trust Center

Start your security review
View & download sensitive information
Ask for information
ControlK

Overview

Patchstack exists to secure the WordPress ecosystem, so we hold ourselves to the same standard we sell. This Trust Centre is where we show our work: our certifications, our controls, and how to request the detail behind them.

We're independently certified against ISO/IEC 27001:2022 and audited to SOC 2 Type II. Both cover the controls that matter for a security vendor — access, change management, incident response, and vendor risk — and both are renewed annually, not one-and-done.

Subprocessors

Documents

COMPLIANCEISO/IEC 27001:2022

AI

We take the use of AI seriously. Staff use of AI tools is governed by an internal AI policy covering data handling and approved use cases. Any AI integration we build in-house goes through a documented risk assessment before it touches customer or company data, with approval routed through the relevant technical or commercial owner. We do not use customer data to train AI models.

Data Privacy

Privacy of customer data is top of mind. We follow industry best practices and applicable privacy regulations, including GDPR. GDPR Compliance — reviewed annually, with findings tracked and actioned Data Processing Agreement (DPA) — available on request for customers who need one Data Subject Rights — we support access, correction, and deletion requests Breach Notification — customers are notified without undue delay, in line with GDPR's 72-hour requirement

Infrastructure

We host on managed cloud infrastructure from providers we've vetted against our security requirements, rather than running our own data centres. That means physical security, redundancy, and infrastructure-level resilience are inherited from providers whose core business is getting that right — and we layer our own access controls, monitoring, and encryption on top. We're happy to share more detail on request.

Network Security

We protect our corporate network against external and internal threats through network segmentation, firewall rules, and mandatory VPN (Tailscale) for all remote connections. Access is scoped to least privilege and reviewed on a recurring basis.

Risk Management

We run a structured risk assessment programme covering our infrastructure, vendors, and internally-built tools. Risks are scored on likelihood × impact, tracked in a central Risk Register, and reviewed on a biannual cadence — more frequently for anything scoring high or critical. Treatment plans are assigned an owner and tracked to closure.

Training

Every team member completes security awareness training during onboarding, with refreshers on a recurring cadence. Training covers phishing, social engineering, data handling, and incident reporting, using scenarios relevant to how we actually work — remote, distributed, and WordPress-focused.

Change Management

All changes to our systems, infrastructure, and Information Management System follow a documented change process: request, risk review, approval, implementation, and verification. Significant changes require sign-off before deployment, and every change is logged for audit.

Built onSafeBase by Drata Logo