Wenme

Compliance & standards

Standards we implement,
and the ones we’re honest about.

Every standard below is split between “implemented in code” and “controls in place, audit pending.” We don’t conflate the two.

A note on certification

Where formal certification has not yet been contracted, the page says so plainly. SOC 2 Type II and ISO 27001 audits are on the roadmap for 2026; the technical controls underneath them already run in production and are reviewed continuously.

01 / 04

Implemented in code.
Auditable in the source tree.

The standards below are not a list of intentions. Each one is wired into request-handling code that runs every authentication on the platform.

01

FIDO2 / WebAuthn

implemented

Hardware-backed passkeys with biometric verification. Phishing-resistant by design. Public-key cryptography end-to-end — no shared secrets.

W3C WebAuthn L3

02

OAuth 2.1

implemented

Mandatory PKCE (S256). No implicit grant. No password grant. No exceptions. Authorization-code flow only.

OAuth 2.1 draft

03

OpenID Connect

implemented

Discovery, dynamic client registration, RP-initiated logout. ID tokens signed with Ed25519 (EdDSA).

OIDC Core 1.0

04

FAPI 2.0

implemented

JARM, mTLS, Pushed Authorization Requests, DPoP sender-constrained access tokens. Bank-tier flows.

OpenID FAPI 2.0

05

DPoP

implemented

Sender-constrained access tokens. A stolen bearer token is unusable without the corresponding key.

RFC 9449

06

SAML 2.0 IdP

implemented

SP-initiated SSO. RSA-SHA256 signed assertions. Single-Logout supported. Fed against ADFS, Okta, Azure AD.

OASIS SAML 2.0

07

LDAP / AD

implemented

Auto-sync, group-to-role mapping. STARTTLS and LDAPS. Read-only or writeback configurable per connector.

RFC 4511

08

SCIM 2.0

implemented

Automated user lifecycle from Okta, Azure AD, JumpCloud. Create / update / deprovision in real time.

RFC 7644

09

GDPR

implemented

Data export, account deletion, breach-notification workflow, consent management with scope-level granularity.

EU 2016/679

02 / 04

GDPR, on the record.
Designed in, not bolted on.

The architecture was designed with GDPR principles from day one. Data subject rights are first-class API operations, not service tickets.

Data subject rights

Right to access
Export your data anytime via profile settings or API.
Right to rectification
Update your information instantly. Email changes verified by passkey.
Right to erasure
Delete account and all data via deletion request. 30-day retention for compliance.
Right to portability
Download data in machine-readable JSON format.
Right to object
Object to processing of your data through privacy settings.

Privacy by design

Data minimization
We only collect essential authentication data. No marketing telemetry.
Consent management
OAuth consent tracking with scope-level revocation, per app.
Breach notification
Severity-based security event log. 72-hour notification SLA.
No password storage
Eliminates the largest category of identity breaches entirely.
Encrypted at rest
AES-256-GCM with per-tenant key rotation.

03 / 04

Controls in place.
Audit not yet contracted.

The technical requirements of these frameworks are implemented and continuously tested. Formal third-party certification is the remaining step.

01

SOC 2 Type II

controls

Trust Service Criteria implemented

Security, availability, processing integrity, confidentiality, and privacy criteria covered by automated controls and audit logging. Independent attestation pending.

02

ISO 27001

controls

ISMS policies documented

Information Security Management System policies, including access control, incident response, and data protection. Certification audit on the 2026 roadmap.

03

PCI DSS

controls

Scope-limited technical controls

Encryption at rest (AES-256-GCM) and in transit (TLS 1.3), access controls, audit logging, and session management implemented. No card data handled.

04

HIPAA

controls

Technical safeguards met

Encryption, access controls, audit logs, and session management meet HIPAA technical safeguard requirements. BAA template available on request.

05

NIST Zero Trust

controls

Architecture aligned

Three-tier Docker network, idle 30 min and absolute 7-day session controls, RBAC across platform and organization scopes, comprehensive security event logging.

06

CCPA

controls

Rights management implemented

Data access, deletion, and portability rights enforced through profile settings and API. Privacy controls applied platform-wide.

04 / 04 Passwordless dividend

Why no passwords
helps compliance.

Most compliance findings tied to identity reduce to password handling — rotation policies, complexity rules, breach response, hash leakage. Removing the primitive removes the entire finding category from your audit report.

0%
password breach surface
100%
phishing-resistant primary auth
0
reset-flow attack vector
6
auth methods supported

Available documentation

Security architecture whitepaperon request
GDPR data-processing documentationon request
ISMS policy documentson request
BAA template (healthcare)on request
Penetration test reports (NDA required)on request

Request access

Enterprise customers can request access to compliance documentation and security assessments. We respond within one business day, in your timezone.

Request documentsTalk to sales

[email protected] · [email protected] · [email protected]

KaritKarma Limited operates Wenme. We do not subcontract authentication, key management, or audit logging to third parties.

last reviewed 2026-04-13