wwemalocloud · wms
HomeFeaturesPricingAboutContact
Sign inBook a demo

Security posture · Q2 2026

Security as a first-class product surface.

Procurement teams need citable evidence, not marketing copy. This page is exactly that — concrete controls, scope of coverage, and where the gaps are. Updated whenever any of it changes; last reviewed Q2 2026.

Hosting + data residency

  • Hetzner Cloud, EU only — primary infrastructure in Frankfurt (FSN1), secondary in Helsinki (HEL1).
  • No data leaves the EU by default. Enterprise customers can pin a single region; backups land cross-region within the EU.
  • Sub-processor listavailable on request — Hetzner (hosting), OpenAI (AI provider, configurable per tenant), cert-manager + Let's Encrypt (TLS).

Identity + access

  • Role-based access controladmin / viewer at operator level; owner / admin / developer / finance / support / viewer at tenant level. Every API gate is checked server-side.
  • SSOMicrosoft Entra and Google Workspace on the Enterprise tier; SCIM auto-provisioning roadmap Q4 2026.
  • MFArequired for admin operators; recommended for all tenant users; configurable per-tenant.
  • Per-tenant isolationevery tenant gets a dedicated Kubernetes namespace; queries scoped at the application layer; cross-tenant reads return 404 (not 403) so existence isn't leaked.

Cryptography

  • In transitTLS 1.3 between every public ingress and the platform; HSTS preload eligible; OCSP stapling.
  • At restHetzner volume-level AES-256 encryption; backups encrypted with a separate key stored outside the data path.
  • Provider keys(AI, integrations) encrypted at rest with AES-256-GCM and a per-install master key derived from an HKDF over the cluster's secret store.

Auditing + observability

  • Every admin action auditedoperator and tenant. Audit log is append-only, retained indefinitely, and exportable on request (Enterprise: real-time SIEM forwarding).
  • Notificationsevery security-relevant event (failed logins, privilege changes, key rotations, suspicious tool invocations) lands on the operator bell.
  • Real-time observabilityself-hosted metric stack; no third-party APM means none of your operational data leaves the EU.

Backups + disaster recovery

  • Daily snapshots + WAL streaming for the primary database; 30-day point-in-time restore on Growth tier and above.
  • Cross-region copybackups copied to a second EU region within an hour of capture.
  • Restore drillswe restore from backup at least once per quarter as part of release validation; evidence available on request.
  • RPO / RTORPO ≤ 15 minutes on Growth+; RTO ≤ 4 hours for a full-region failover.

Compliance roadmap

  • GDPRDPA available now, downloadable at /legal/dpa.
  • EN ISO 27001control mapping in progress; full attestation target Q1 2027.
  • SOC 2 Type IType I attestation target Q4 2026; Type II Q3 2027.
  • Pen testingthird-party penetration test on every major release.

Procurement

Need our security questionnaire or DPA?

We answer security questionnaires from procurement teams within 3 working days. Email security@wemalo.com or use the contact form.

Request security packRead the DPA
w

wemalo

warehouse management as a service

A modern, multi-channel warehouse management platform delivered as a managed cloud service for fulfilment, e-commerce, and 3PL operators across the EU.

We send a short monthly update — product news only. Unsubscribe anytime. Privacy Policy.

Product

  • Features
  • Pricing
  • Security
  • Roadmap
  • Changelog

Modules

  • Inbound + Putaway
  • Order management
  • Pick + Pack
  • Returns + Reverse
  • Shipping + Carriers
  • Multi-channel sync
  • EU customs + IOSS

Company

  • About
  • Contact
  • Partners
  • Support

Legal

  • Terms of Service
  • Privacy Policy
  • DPA
  • Cookie policy
  • Imprint· Impressum

© 2026 Wemalo · All rights reserved · Hosted in the EU

in𝕏ghwemalo.com
Skip to content