During the active period of the relevant Wrike agreement between Wrike and the Customer identified in the corresponding Order Form (collectively, along with its governing Terms & Conditions, referred to as the “Agreement”), Wrike has established and commits to maintaining a comprehensive written information security and privacy program (the “Information Security Program”). This program is designed to align with the requirements of this Addendum, widely recognized industry standards for information security, and applicable legal obligations. As part of this program, Wrike has implemented and agrees to uphold administrative, technical, and physical security measures intended to safeguard the confidentiality, integrity, and availability of Customer Data.

1. Definitions

1.1 Customer Data: means all data or information submitted by or on behalf of Customer to the Service but does not include Aggregated Anonymous Data.

1.2 Information Security Program: Wrike’s policies, procedures, and practices designed to protect the security, confidentiality, integrity, and availability of Customer Data.

1.3 Security Incident: Any unauthorized access, use, disclosure, alteration, destruction, or loss of Customer Data, or any event that compromises the security of the Service.

1.4 Service: Wrike’s hosted, on-demand, web-based offering subscribed to by Customer as identified in the Agreement, including any updates thereto. The Service as defined in the Agreement shall not include Professional Services (if any). Wrike may update the Service at any time in its sole discretion, provided that updates shall not substantially diminish or eliminate the core functionality of the Service.

2. Information Security Program

2.1 Establishment and Maintenance: During the term of the Agreement, Wrike shall establish and maintain a written Information Security Program designed to protect Customer Data in accordance with this Addendum, applicable laws, and widely accepted industry practices. This program shall be designed to protect against threats or hazards to the security of Customer Data and unauthorized access that could result in substantial harm or inconvenience to Customer.

2.2 Safeguards: The Information Security Program shall include administrative, technical, and physical safeguards to: 

  • Ensure the confidentiality, integrity, and availability of Customer Data; 
  • Protect against unauthorized access, use, disclosure, or loss of Customer Data; 
  • Mitigate reasonably foreseeable internal and external security risks.

2.3 Updates: Wrike may periodically update the Information Security Program to reflect evolving threats, technologies, and industry practices, provided such updates do not materially diminish the protections afforded to Customer Data. Updates will be documented and maintained by Wrike.

3. Administrative and Organizational Safeguards

3.1 As part of its Information Security Program for the core Service, Wrike has implemented and agrees to maintain the following safeguards:

  • Qualified Personnel: Designation of qualified employees responsible for overseeing and implementing the Information Security Program, with regular reviews by senior management.
  • Risk Assessment: Identification and assessment of reasonably foreseeable internal and external risks to Customer Data, with safeguards adjusted based on evolving threats, technologies, and practices, ensuring no material diminishment of protections.
  • Human resource security: Wrike requires background checks on any Wrike employees with access to Customer Data.
  • Policies and Training: Written security policies and procedures, with regular training for personnel (at least annually) on security best practices and compliance with this Addendum.

3.2 Wrike establishes Business Continuity and Disaster Recovery Plans that outline procedures for data backup and recovery, emergency operation, and testing of contingency and recovery procedures. These plans also include an assessment of the criticality of Wrike's systems and data.

3.3 Wrike regularly tests and monitors the effectiveness of its Information Security Program, including through security audits, and will evaluate its Information Security Program and information security safeguards in light of the results of the testing and monitoring and any material changes to its operations or business arrangements.

3.4 Wrike requires Wrike employees to acknowledge Wrike’s Information Security Program annually.

4. Technical Security

4.1 Wrike requires the use of unique user IDs, strong password policies, multi-factor authentication where appropriate. Wrike requires multi-factor authentication for any remote network and system access. Wrike requires that employees’ passwords satisfy minimum length and complexity requirements and be changed periodically.

4.2 Wrike maintains role-based access restrictions for its systems, including restricting access to only those Wrike employees or subcontractors that require access to perform the services described in the Agreement, or to facilitate the performance of such services, such as system administrators, consistent with the concepts of least privilege, need-to-know, and separation of duties.

4.3 Wrike periodically reviews its access lists to ensure that access privileges have been appropriately provisioned and regularly reviews and terminates access privileges for Wrike employees that no longer need such access.

4.4 Wrike logs system activity—including authentication events, changes in authorization and access controls, and other system activities—and regularly reviews and audits such logs.

4.5 Wrike maintains network security measures, including but not limited to firewalls to segregate its internal networks from the internet, risk-based network segmentation, intrusion prevention or detection systems to alert Wrike to suspicious network activity, and anti-virus and malware protection software.

4.6 Wrike has implemented workstation protection policies for its systems, including automatic application logoff after a period of inactivity and locking the system after a defined number of incorrect authentication attempts.

4.7 Wrike conducts regular and periodic vulnerability scans and assessments on all systems storing, processing, or transmitting Customer Data to identify potential vulnerabilities and risks to Customer Data.

4.8 Wrike remediates identified vulnerabilities in a risk-prioritized and timely manner, including timely implementation of all high-risk mitigating manufacturer- and developer-recommended security updates and patches to systems and software storing, processing, or transmitting Customer Data.

4.9 Wrike implements secure coding practices, including code reviews and threat modeling, with vulnerability assessments and penetration testing conducted at least annually by qualified third parties.

4.10 Wrike has implemented encryption controls, using AES-256 and strong encryption protocols, to ensure that Customer Data is encrypted during transmission over public networks and at rest

5. Physical Security

5.1 Wrike utilizes data centers and facilities hosting Customer Data secured with 24/7 monitoring, restricted access, and environmental protections.

5.2 Wrike runs real-time database replication to ensure that Customer Data is both backed up and available on redundant and geographically dispersed systems, physically separated from the primary Wrike application servers.

5.3 Wrike requires the destruction of Customer Data on physical media to prevent reconstruction as part of its equipment, device, and electronic media disposal and reuse policies and procedures.

6. Incident Response

6.1 Wrike will inform Customer of any confirmed security incident, defined as accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, within the time period required by law.

6.2 Wrike will also take steps consistent with the Incident Response Plan to investigate, mitigate, remediate, and otherwise respond to such incidents. Customer will be notified at the email address associated with their administrator account, or at another email address that Customer provides to Wrike in writing for security incident notifications. The notification shall include, to the extent known at the time:

  • A description of the Security Incident, including date and time of occurrence;
  • The type and scope of Customer Data affected;
  • The measures taken or proposed to address the Security Incident; and
  • Contact information for further inquiries.

6.3 If Customer is subject to a regulatory inquiry or threatened litigation relating to a security incident, Wrike will provide Customer with reasonable assistance and support in responding to such investigation.

7. Subcontractors

7.1 Wrike may use third-party subprocessors that are bound by materially consistent security obligations to this Addendum to help provide the Service. Subprocessors shall be contractually required to maintain confidentiality and security standards.

7.2 Wrike conducts diligence of prospective subcontractors to ensure that they are capable of meeting the security standards set forth in this Addendum and requires them to comply with terms that are substantially similar to those set forth in this Addendum.

7.3 The list of sub-processors is accessible at https://www.wrike.com/legal/subprocessors-list/

7.4 The Service has implemented an integration with Klaxoon, a recently acquired company. This integration, requiring separate activation by the Customer, facilitates seamless connectivity and data exchange between the respective platforms, thereby enabling users to utilize the functionalities of both the Service and the Klaxoon product.

  • Klaxoon operates under its own security framework, distinct from this Addendum, and is governed by a separate security addendum. Klaxoon’s security practices, policies, and obligations are detailed in its security addendum, available at https://klaxoon.com/solutions-trust-center    
  • This Addendum does not apply to Klaxoon; Customer acknowledges its security is managed independently via the referenced resources.

8. Miscellaneous

8.1 In conflicts between this Addendum and the Agreement, this Addendum prevails for core Service security matters.

8.2 Wrike may update or make changes to the terms of this Addendum from time to time for valid reasons, such as adding new functions or features to the Service, technical adjustments, corrections of typographical or other errors, for legal or regulatory reasons or for any other reasons as Wrike deems necessary, at its sole discretion, without notice (but the modified Addendum may be reviewed at https://www.wrike.com/legal/enterprise-winfosec/ and will be identified by the last updated date). Customer’s continued access to and use of the Service after the changes have been implemented constitutes acceptance of the changes and the then-current terms. When material changes to the terms of the Agreement and the Addendum are made, Wrike will provide Customer with notice as appropriate under the circumstances, e.g., by displaying a prominent notice within the Service or by sending Customer an email. Customer’s continued access to and use of the Service after such notice and implementation of the changes will constitute Customer’s acceptance of the changes and the then-current terms.