Governance
We are ISO27001 certified.
SOC2 Type 1 & SOC2 Type 2 accredited.
We are registered with the ICO under the UK Data Protection Act (ZA421647).
We are Cyber Essentials Plus certified (The IASME Consortium Ltd (GBLTD07897132) issued Cyber Essentials (7031564f-2d2f-4d90-91ba-a4f2d096fa7b)).
All staff complete tailored GDPR and cyber awareness training, refreshed on an annual basis.
DBS checks, and adverse financial checks are performed.
Continuous Protection
Annual application network and penetration tests performed by an independent third party service that is CREST approved.
Automated Threat Detection within our network is enabled (Guard Duty).
Web Application Firewall and DDoS protection available.
Disaster recovery plan for our core services tested annually.
Security Best Practices
All user passwords are salted and hashed with the script key derivation function.
All sensitive banking data (i.e., bank account) is further encrypted via AES-256.
2FA is active, and SSO is used to cascade access across multiple services where possible.
Transfer of Data
Using Bank-Grade encryption, all data is encrypted-in-transit and transferred to us protected by HTTPS (TLS >= 1.2) or SFTP with 2048-bit RSA key pairs, up to 4096-bit.
Storage of Data
We use industry standard encryption to store data, encrypted at rest, using AES-256.
UK & EU customer data is stored within the AWS London (eu-west-2) data centre.
US customer data is stored within the AWS Oregon (us-west-2) data centre.
Our hosting is readily compliant with ISO2001, SOC-1,2,3 PCI-DSS L1 and more.
Backup retention is 35 days.
Physical and electronic material is destroyed using a company that is a member of i-SIGMA (International Secure Information Governance & Management Association).
Corporate IT
Devices managed by Microsoft Intune.
Endpoint security, next generation antivirus and malware protection via Crowdstrike Complete on all devices.
Multiple DLP strategies via CrowdStrike and Google Vault.
Active monitoring for outflow of data via USB~ peripherals.
Any access to customer data for support reasons is limited to a need-to-know basis, only via VPN, access is fully auditable.
Wagestream utilises one of the top 10 Enterprise Mobility Management (EMM) tools to ensures that patching of our operating systems and 3rd party software is automated.
Autorun is disabled on Windows devices.
We have an up-to-date asset register.
Automatic o/s and 3rd party updates enabled.
© 2025 Earned Wage Access services in the United States are provided by Wagestream, Inc. (NMLS #2547041), the operator and manager of this website. Wagestream, Inc. is a wholly owned subsidiary of Wagestream Holdings Ltd, and an affiliate of Wagestream Ltd. Wagestream Ltd is the owner of all intellectual property rights on this site, and in all material published on it, including the trademarks WAGESTREAM and the W Device mark. All rights are reserved. Wagestream Ltd is a company registered in England and Wales (number 11173225) and registered with the Financial Conduct Authority (FCA). Wagestream is a financial technology company, not a bank. Banking services provided by Piermont Bank; Member FDIC. Your funds are FDIC insured up to $250,000 through Piermont Bank; Member FDIC. The Wagestream Mastercard® Debit Card is issued by Piermont Bank; Member FDIC, pursuant to a license from Mastercard and may be used everywhere Mastercard® debit cards are accepted.
