Wedge
Security overview

Bank-grade security. Plain-English explanations.

Every claim on this page is something you can verify yourself — we name the source of truth for each one.

Encryption in transit and at rest

Every connection between you, Wedge, and our infrastructure is TLS 1.3 (the same standard banks use). Database storage is AES-256 encrypted by default — including invoices, customer details, and any uploaded receipts.

  • TLS 1.3 in transit (Vercel + Railway default).
  • AES-256 at rest (Supabase default).
  • Data stored in UK/EU regions only — no transatlantic transfers.

Card details never touch Wedge

All card processing is handled by Stripe (PCI DSS Level 1, the highest tier). We never see, store, or transmit card numbers — they go straight from your customer's browser to Stripe's vault. Stripe also carries chargeback liability, not you.

  • PCI DSS Level 1 (Stripe).
  • We never store CVV, PAN, or expiry.
  • Pay by Bank uses Open Banking — no card details at all.

Built on official WhatsApp Business

Wedge runs on Meta's WhatsApp Business Platform — the same encryption your customers already trust. We never proxy WhatsApp messages through unverified gateways, and customers see your verified business account, not a random number.

UK GDPR by design

Data minimisation by default — we only ask for what we need to send invoices and process payments. You can export all your data with one click and delete your account from the dashboard. ICO registration is in progress; the registration number will be surfaced here once issued.

  • One-click data export.
  • Soft delete with 30-day recovery, then hard delete.
  • Audit log on every data-changing action.
  • Marketing and analytics consent are independently revocable.

Magic-link sign-in, no passwords stored

Wedge uses email magic links — no password to lose, leak, or have phished. Sign-in tokens are single-use and expire after 15 minutes. Your session lives in a httpOnly, Secure, SameSite=Lax cookie for 7 days.

Operational practices

Service-role keys never leave the server. We use scoped Stripe Connect tokens per tradesperson — a compromised user account can't reach another's data. Backups are encrypted, geographically separated, and tested.

Found something? Tell us.

Email hello@getwedge.co.uk with details and we'll respond within one working day. Please don't exploit anything you find — coordinated disclosure only.

Reading our roadmap? See what we're working on next →

Security overview — Wedge | Wedge