§ II.IX — ENTERPRISE · SECURITY AND COMPLIANCE
◦ PROCUREMENT-GRADE POSTURE · NDA + MSA + DPA STANDARD

Procurement
posture
stated.

This is documentation, not marketing. Every contractual surface, data-handling posture, sub-processor relationship, and roadmap claim Wiele Group operates under at Enterprise tier — stated honestly for procurement, legal, and information-security review. Where Wiele is certified, this page says so. Where Wiele is not yet certified, this page says that too. Truth Commitment doctrine forbids claiming credentials not yet earned.

Contractual
NDA · MSA · DPA standard
Residency
EU + UK · no transfer without consent
Framework
GDPR-aligned · Processor under DPA
SOC 2
On roadmap · not yet certified
REQUEST DPA + MSA → SEE ENGAGEMENT MODELS →
Last reviewed: April 2026 · this page updates when posture changes
§ II.IX.I — CONTRACTUAL SURFACES

Three documents.
Procurement standard.

I
NDA · mutual
Mutual non-disclosure agreement signed before any scoping conversation containing confidential information. Templated draft provided. Buyer-template substitution acceptable. Term: 3 years from signature, surviving engagement termination. Standard for every Enterprise prospect engagement.
II
MSA · master services
Master Services Agreement signed before engagement begins. Scopes commercial terms · invoice cadence · payment terms · IP custody · liability cap · termination clause · governing law (English law unless buyer requires alternative). Templated draft provided. Redlines welcome within procurement-cycle norms.
III
DPA · data processing
Data Processing Agreement signed alongside MSA. Scopes Wiele's role as Data Processor (client is Data Controller). Sub-processor list (exhibit). Data retention. Cross-border transfer mechanism (SCCs). Breach notification. GDPR Article 28 compliant. Templated draft provided.
IV
SOW · per engagement
Statement of Work issued under MSA for each engagement defining scope, deliverables, duration, fee, and acceptance criteria. SOW is the operating document — MSA governs the relationship; SOW governs the project. New SOW per discipline · per quarter · or per renewal cycle as engagement structure dictates.
§ II.IX.II — DATA POSTURE

Residency · framework
sub-processors named.

I
Residency
EU and UK. All client documents, briefs, deliverables, and analytics data processed and stored within EU and UK jurisdictions. No client data is transferred to non-EU/UK jurisdictions without explicit written consent and an appropriate transfer mechanism (Standard Contractual Clauses or equivalent under UK GDPR / EU GDPR).
II
Framework
GDPR-aligned. Wiele typically acts as Data Processor under standard DPA terms; the client is the Data Controller. Subject access requests routed via the client. Data minimisation principle applied: Wiele requests only the data scope strictly required for engagement deliverables, not blanket access.
III
Sub-processors
Cloudflare (hosting + content delivery for Wiele-managed client web assets, EU-preferred regions). Stripe (payment processing for Catalyst-tier; Enterprise invoices direct via SEPA or wire and do not touch Stripe). Full list in the DPA exhibit. 30-day written notice before any new sub-processor engages client data.
IV
AI training exclusion
Wiele does not use AI-training-eligible vendors for client document processing. Client deliverables, briefs, and confidential data are not submitted to public LLM APIs that retain training rights. Internal AI-assisted research uses tooling configured to forbid training retention.
§ II.IX.III — OPERATIONAL POSTURE

Founder access · IP
termination cycle.

I
Access model
Founder-led firm. Engagement-specific senior teams formed per SOW. Access to client systems and data is least-privilege by default — Wiele requests only the access required for stated deliverables. Multi-factor authentication enforced on all systems. Credentials managed via password vault; never stored in plain documents.
II
IP custody
Client owns all engagement deliverables in full from month one. Brand systems, content, schema, code, audit reports, strategy documentation — all client-owned outright. Wiele retains no ownership claim, no buy-out clause, no licensing fee. Methodology remains Wiele's. Deliverables are yours. Doctrine, not negotiation surface.
III
Incident response
Security incidents affecting client data trigger written notification to the client within 72 hours of discovery (per GDPR Article 33). Incident response includes: scope assessment, contained-vs-active determination, remediation actions, root-cause analysis, and post-incident report. Buyers may specify alternative notification windows in SOW.
IV
Termination cycle
MSA termination triggers a 30-day data return and deletion cycle. All client documents and project artifacts returned via secure transfer to client-designated location. Working copies on Wiele systems deleted within 30 days. Deletion certified in writing on request. Aggregated, fully anonymised methodology learnings may be retained — no client-identifying data.
§ II.IX.IV — ROADMAP HONESTY

What Wiele claims.
What Wiele does not.

SOC 2
on roadmap · controls documented · audit not yet commenced
ISO 27001
not certified · not under audit · not claimed
HIPAA
not in scope · Wiele does not handle PHI
PCI-DSS
via Stripe (Catalyst tier) · Wiele does not store card data
FedRAMP
not certified · not in scope · not claimed
GDPR
aligned · Processor under DPA · operating framework

Truth Commitment doctrine forbids claiming credentials Wiele has not earned. Where Wiele is on a certification path, this page says so. Where Wiele is not pursuing certification, this page says that too. Buyers requiring specific attestation as a procurement gate should treat Wiele as a sub-certified vendor for those frameworks not listed as held — and either accept the documented-controls posture under MSA or wait until any in-progress certification cycle completes.

§ II.IX.V — PROCUREMENT QUESTIONS

Six questions
answered once.

Is Wiele SOC 2 certified?

No. SOC 2 certification is on Wiele's roadmap but not yet attained. The current posture is documented controls aligned to SOC 2 Trust Services Criteria (security, availability, confidentiality), with formal Type I or Type II audit not yet commenced. Buyers requiring SOC 2 attestation as a procurement gate should treat Wiele as a sub-certified vendor and either accept the documented-controls posture under MSA or wait until certification cycle completes. No misrepresentation: Wiele will not claim certification it has not earned.

Where does client data reside?

EU and UK. All client documents, briefs, deliverables, and analytics data are processed and stored within EU and UK jurisdictions. Hosting infrastructure (Cloudflare) operates with EU-region preferred routing for client-facing assets. No client data is transferred to non-EU/UK jurisdictions without explicit written consent and an appropriate transfer mechanism (Standard Contractual Clauses or equivalent). GDPR is the operating regulatory framework — Wiele typically acts as Data Processor with the client as Data Controller under standard DPA terms.

What sub-processors does Wiele use?

Cloudflare (hosting and content delivery for Wiele-managed client web assets) and Stripe (payment processing for Catalyst-tier engagements; Enterprise tier invoices direct via SEPA or wire and does not touch Stripe). The current sub-processor list is enumerated in the standard DPA exhibit and updated when changes occur. Buyers receive 30-day written notice before any new sub-processor is engaged for their data. Wiele does not use AI-training-eligible vendors for client document processing.

What contractual surfaces are standard?

Three documents form the standard Enterprise procurement package: NDA (mutual non-disclosure, signed before any scoping conversation containing confidential information), MSA (Master Services Agreement, signed before engagement begins, scoping commercial terms and IP custody), and DPA (Data Processing Agreement, signed alongside MSA, scoping data handling under GDPR and equivalent regimes). Wiele provides templated drafts. Buyers may redline or substitute their own templates within procurement-cycle norms.

Who owns the work product?

The client owns all engagement deliverables in full from month one of the engagement onward. This includes brand systems, content, schema, code, audit reports, and strategy documentation. Wiele retains no ownership claim, no buy-out clause, no licensing fee. Underlying methodology (the Wiele Method itself) remains Wiele's. The deliverables produced for the client are the client's. This is doctrine, not negotiation surface.

What happens to client data when an engagement ends?

MSA termination triggers a 30-day data return and deletion cycle. All client documents, deliverables, and project artifacts are returned to the client (typically via secure transfer to a client-designated location). Working copies on Wiele systems are deleted within 30 days of termination, with deletion certified in writing on request. Aggregated, fully anonymised methodology learnings may be retained as part of Wiele's institutional knowledge — no client-identifying data is retained.

§ THE POSTURE · ENTERPRISE

No claimed credentials
unearned.

Documented controls · GDPR-aligned · IP yours from month one · roadmap honest.

REQUEST DPA + MSA → ENGAGEMENT MODELS →