Security & data protection

How WagePerks handles your data

WagePerks (Wageperks Ltd, SC824820) is the data processor for the employee records UK SME employers put into the platform. This page sets out the basics: where the data lives, who can ask for what, and what we will and won't claim today. We update it when the answers change.

Last reviewed: 11 June 2026. We re-review quarterly.

The honest position

We are early stage and we won't claim certifications we don't hold. The list below is the lot — if a particular control matters to your procurement, ask us by email and we'll answer in writing.

  • UK GDPR and Data Protection Act 2018 — in operation. WagePerks operates as a data processor under UK GDPR and the Data Protection Act 2018. The standard Data Processing Agreement (DPA) is available on request before signature.
  • No certifications held today. We do not currently hold ISO/IEC 27001 certification or Cyber Essentials. We will state plainly on this page when that changes.

Where the data lives

WagePerks production data is hosted on Amazon Web Services in the eu-west-2 (London) region. Production data is not replicated outside the UK. Disaster-recovery backups are held in the same region.

  • Encryption in transit: TLS 1.2 minimum on all public endpoints, including the apex 301 redirect to www. HSTS is enabled (max-age=63072000; includeSubDomains; preload).
  • Encryption at rest: via the AWS-default mechanisms for the storage services we use (RDS, S3, EBS). We don't have any custom key-management posture beyond AWS defaults today.

Sub-processors

The sub-processor list below is the published public version. If you have signed our DPA, you receive the full schedule (which lists the commercial back-end providers we use for payments, voucher fulfilment, and the optional GP/EAP add-on). We notify you in writing before adding any new sub-processor that handles personal data.

Sub-processor Purpose Region
Amazon Web Services (AWS) Application hosting, database, file storage eu-west-2 (London), UK
Google Workspace Internal email and document management for WagePerks staff Configured for EU data residency

Data retention & deletion

Customer data retention follows our data retention policy. Statutory retention (e.g. payslip data under HMRC rules) can be extended on customer request.

If a personal-data breach happens

Under UK GDPR Articles 33 and 34, a processor must notify the controller of a personal-data breach without undue delay, and the controller must notify the ICO within 72 hours where the breach is reportable. WagePerks follows that statutory duty.

Talk to us about security

For procurement diligence, DPA requests, sub-processor schedules under DPA, or anything not answered above — email security@wageperks.com, or use the contact page. We respond inside one working day.

Procurement diligence

Twenty minutes with the founder. We'll answer your security questionnaire live and share the signed DPA.

Book a diligence call