Status: Aligned. Wentzel Investments LLC implements controls for SOC 2 Type 2 + ISO/IEC 27001:2022 but has not yet completed third-party audits. We use "Aligned" never "Compliant" or "Certified".
Security
Security is the mandatory baseline Trust Services Criterion (TSC). Wentzel Investments LLC implements all Common Criteria CC1 through CC9 across the WCB-CC-* unified control catalog. Specific evidence pointers live in the per-repo manifests; this page summarizes the controls applied org-wide.
Common Criteria summary
| Control | Area | Status | Evidence |
|---|---|---|---|
| WCB-CC-01 | Information security policy | Aligned | 11 written policies |
| WCB-CC-06 | Identity & access — IAM Identity Center + SAML | Aligned | AWS IdC + Google SAML |
| WCB-CC-07 | MFA — TOTP + WebAuthn (Yubikey 5C NFC) | Aligned | Required on all human access |
| WCB-CC-08 | Privileged access — break-glass via trustee custody | Aligned | Glenda Nicole Ramsey, Trustee Agreement |
| WCB-CC-11 | Network security — VPC + WAF + no inbound | Aligned | phase0-foundation IaC |
| WCB-CC-12 | TLS 1.3 in transit | Aligned | Cloudflare edge + ALB |
| WCB-CC-13 | KMS at rest — customer-managed keys | Aligned | Per-data-class CMK |
| WCB-CC-14 | Secrets management | Aligned | AWS Secrets Manager only |
| WCB-CC-15 | Logging & monitoring — CloudTrail + audit-chain | Aligned | Org trail + structured app logs |
| WCB-CC-16 | Audit trail integrity — Object Lock Compliance mode | Aligned | s3://wentzel-audit-immutable, 7yr SEC 17a-4(f) |
| WCB-CC-17 | Change management — PR + CODEOWNERS + signed commits | Aligned | GitHub branch protection on every in-scope repo |
| WCB-CC-18 | Vulnerability management — Dependabot + CodeQL | Aligned | CI gates on every PR |
| WCB-CC-20 | Incident response — S0–S3 ladder + postmortems | Aligned | Tabletop annually |
| WCB-CC-30 | Secure SDLC — TS strict + ESLint security | Aligned | Banned-deps + lint |
| WCB-CC-31 | Code review — required PR review + CODEOWNERS | Aligned | branch-protection-sanity in WCB Gate |
| WCB-CC-32 | Build integrity — SBOM on every artifact | Aligned | Per-app build pipeline |
| WCB-CC-43 | Audit chain emission — every tier-2+ action | Operational | @wentzel/audit-chain |
| WCB-CC-44 | Object Lock SEC 17a-4(f) — 7-year immutable retention | Operational | Production bucket armed |
External attestation
SOC 2 Type 2 audit is deferred to portfolio batch trigger (first $50K MRR, enterprise customer demand, or cyber-insurer evidence requirement). Nominated auditor: Prescient Assurance.