Legal

Security

How we protect your data

Our Commitment

Wren is operated by 2102 Pty Ltd (ABN 91 391 518 847) trading as Wren. We take the security of your business and customer data seriously. Wren is built with security at every layer, from infrastructure and application design through to how we handle payments and third-party integrations. This page describes the measures we have in place to protect your information.

Infrastructure

Your data is processed on Cloudflare's IRAP PROTECTED-assessed infrastructure in Sydney (ap-southeast-2). Cloudflare holds an active IRAP assessment at the PROTECTED level, meeting Australian Government security requirements. Our infrastructure includes:

  • Encryption at rest and in transit: All data is encrypted using 256-bit SSL/TLS. Data stored on disk is also encrypted at rest.
  • IRAP PROTECTED infrastructure: We use Cloudflare's Australian data centres (Sydney, ap-southeast-2), which hold an active IRAP assessment at the PROTECTED level.
  • Redundancy and backups: Regular automated backups are stored in geographically separate Australian locations to protect against data loss.
  • Uptime monitoring: We monitor our systems continuously and respond to incidents promptly.

Application Security

Wren is designed with defence-in-depth principles. Our application-level security measures include:

  • Authentication-based access controls: Every API endpoint requires a verified session token. Plan-tier feature gates enforce that SMS reminders and late fee tools are available only on eligible plans. Internal administrative endpoints are separately restricted by a server-side API key.
  • Audit logging for key account actions: Security-relevant events are logged to an immutable audit trail, including account registration, login, password changes, OAuth integration connect and disconnect, accounting platform sync completions, payment events, reminder sends, and delivery webhook events.
  • Secure credential storage: Passwords are hashed and salted using industry-standard algorithms. Plain-text passwords are never stored.
  • Input validation and sanitisation: All user inputs are validated and sanitised to prevent injection attacks and cross-site scripting (XSS).
  • Regular security reviews: We conduct periodic security assessments and address findings promptly.

Payment Security

All payments are processed by Stripe, which is PCI DSS Level 1 certified, the highest level of payment security certification available.

  • We do not store your credit card number, CVV, or full card details on our servers.
  • Only tokenised references and the last four digits of your card are retained for your records.
  • All payment communication between your browser and Stripe is encrypted end-to-end.

Accounting Integration Security

Wren connects to your accounting platform (Xero, QuickBooks) using OAuth 2.0, the industry-standard authorisation protocol. All supported integrations follow the same security standards. Our integrations are designed with the principle of least privilege:

  • OAuth 2.0 connection: We never see or store your accounting platform password. Access is granted through a secure token exchange.
  • Read-only access by default: We request only the permissions needed to sync invoice and contact data. Write access is requested separately and clearly disclosed before authorisation.
  • Token encryption at rest: All OAuth access and refresh tokens are encrypted using AES-256-GCM before storage. Tokens are decrypted only at the point of use and are never exposed in logs or application code.
  • Revocable at any time: You can disconnect Wren from your accounting platform at any time through your platform settings or the Wren dashboard.

Both Xero and QuickBooks integrations use the same encryption, token handling, and security controls. No integration receives lesser security treatment than another.

Data Retention

We retain your data for as long as your account remains active, plus 12 months after account closure. This retention period allows you to reactivate your account and recover your data if needed.

  • After the 12-month retention period, all data is permanently deleted from our systems and backups.
  • You may request earlier deletion of your data at any time by contacting us.
  • Certain records may be retained longer where required by Australian tax or legal obligations.

Reporting Vulnerabilities

If you discover a security vulnerability in Wren, we encourage you to report it to us responsibly. We take all reports seriously and will respond within 48 hours.

Please include as much detail as possible, including steps to reproduce the issue, the potential impact, and any suggested remediation. We will acknowledge your report, investigate the issue, and keep you informed of our progress.

We ask that you do not publicly disclose any vulnerability before we have had an opportunity to address it. We will not take legal action against individuals who report vulnerabilities in good faith and follow responsible disclosure practices.