Enterprise Security & Compliance
SOC 2 Type II certified platform with comprehensive security controls
SOC 2 Type II
Independently audited for security, availability, and confidentiality trust service criteria
- Annual third-party audits
- Independent verification by licensed CPA firm
- Continuous control monitoring
GDPR Compliant
Compliant with EU General Data Protection Regulation (EU 2016/679)
- Data minimization practices
- Data subject rights (access, deletion, portability)
- Data Processing Agreements available
HIPAA Capable
Technical safeguards available for healthcare customers requiring PHI protection (BAA required)
- PHI encryption and access controls
- Comprehensive audit logging
- Business Associate Agreements available
ISO 27001:2022
Information Security Management System certification in progress, expected Q2 2026
- Risk management framework
- Security controls implementation
- Continuous improvement processes
Security Features
Data Protection
- AES-256 encryption for data at rest
- TLS 1.3 encryption for data in transit
- Customer-managed encryption keys (BYOK) available
- Hardware Security Module (HSM) key management
Access Control
- Row-level security (RLS) policies on all database tables
- Role-based access control (RBAC) with least privilege
- Multi-factor authentication (MFA) with TOTP/WebAuthn
- Configurable session timeout and concurrent session limits
Infrastructure
- Cloudflare DDoS protection with 197+ Tbps network capacity
- Tenant data isolation with dedicated database schemas
- Automated security patching within 72 hours of critical CVEs
- Daily encrypted backups with point-in-time recovery
Monitoring & Response
- 24/7 security operations center (SOC) monitoring
- Sentry error tracking with real-time alerting
- Automated incident response runbooks
- Compliance dashboards with exportable audit reports
Data Breach Notification Policy
In the unlikely event of a data breach affecting your personal information, we commit to:
- 72-Hour Notification: Notify affected users and relevant authorities within 72 hours of confirmed breach (as required by GDPR)
- Transparent Communication: Clearly describe the nature and scope of the breach, affected data, and potential consequences
- Remediation Steps: Provide specific guidance on actions you can take to protect yourself
- Credit Monitoring: Offer complimentary credit monitoring services for breaches involving financial or identity information
- Post-Incident Report: Publish a comprehensive post-incident report detailing root cause analysis and preventive measures implemented
Security Researchers & Bug Bounty
We value the security research community and encourage responsible disclosure of security vulnerabilities.
Responsible Disclosure Policy
- Report vulnerabilities to [email protected]
- Use our PGP key for encrypted communications (available on our security page)
- Allow us 90 days to address the issue before public disclosure
- We will not pursue legal action against researchers acting in good faith
Bug Bounty Program
- Rewards range from $100 to $10,000+ based on severity
- Critical vulnerabilities eligible for expedited payment
- Hall of Fame recognition for qualifying researchers
- Scope includes web app, mobile apps, APIs, and infrastructure
Contact Information
Security Team
For security inquiries, vulnerability reports, or compliance questions:
WAVE Platform, Inc.
Attn: Security Team
251 Little Falls Drive
Wilmington, DE 19808
United States
Email: [email protected]
Phone: 1-888-WAVE-NOW (1-888-928-3669)
Request Compliance Documents
Enterprise customers can request the following documents under NDA:
- SOC 2 Type II Report
- Penetration Test Summary
- Data Processing Agreement (DPA)
- Business Associate Agreement (BAA)
Questions About Security?
Our security team is ready to assist with your compliance and security needs