Security Whitepaper
Last updated: 2026-04-27
WAVE Online, LLC operates an enterprise streaming platform serving 100M+ viewers globally. Our security program is built on industry-standard frameworks (SOC 2 TSC, NIST 800-53, ISO 27001 mapped), defense-in-depth across architectural layers, per-customer compliance attestations, and continuous monitoring with automated incident response.
Compliance attestations
| Framework | Status | Notes |
|---|---|---|
| SOC 2 Type II | In progress | Pre-audit prep; report under NDA on completion |
| HIPAA | BAA-eligible | Per-customer activation; downstream BAAs in place |
| GDPR + UK GDPR | Compliant | DPA + SCCs + DSAR pipeline + Breach notification |
| CCPA / CPRA | Compliant | Opt-out registry + GPC handler + DNSMPI link |
| State privacy laws | Compliant | 14-state matrix; per-state deadlines tracked |
| PCI-DSS | SAQ A | Stripe-hosted PAN; PAN never touches WAVE systems |
| TCPA / A2P 10DLC | Compliant | A2P brand registered + SMS Compliance Gateway |
| CAN-SPAM | Compliant | Email Compliance Gateway + RFC 8058 List-Unsubscribe |
| ISO 27001 | Pending | Targeted Q3 2026 |
| FedRAMP | Customer-gated | Activated on first U.S. federal customer |
Architecture security
Application layer
- TypeScript strict mode (catches bugs at compile time)
- Zod validation at all API boundaries
- Helmet.js security headers + Content Security Policy
- CSRF protection (SameSite cookies + token validation)
- Rate limiting per IP and per API key
API layer
- API key authentication for SDK access
- OAuth 2.0 with PKCE for user-facing flows
- Per-endpoint rate limiting
- Distributed tracing on all external calls
Database layer (Supabase)
- AES-256 encryption at rest
- TLS 1.3 in transit
- Row Level Security (RLS) on every table
- Parameterized queries (no SQL injection vector)
- Audit logging on sensitive tables
- Daily backups + 30-day point-in-time recovery
Edge / CDN layer (Cloudflare)
- DDoS protection
- WAF with country block for embargoed jurisdictions
- TLS 1.3 termination
- Bot detection
- CSAM Scanning Tool integration
Identity layer
- Supabase Auth (managed)
- WebAuthn + TOTP MFA
- Passwordless magic-link option
- SAML / OIDC SSO for enterprise
Data classification
- Public: Marketing content — standard TLS
- Internal: Aggregated analytics, internal docs — encrypted at rest, RLS
- Confidential: Customer Data, PII — RLS, encryption, audit logged
- Restricted: Auth credentials, payment tokens — hashed/tokenized, never in logs
- Secret (federal hold): CSAM evidence — legal hold, service-role-only access
Incident response
- 24x7 on-call rotation for P0 and P1
- Documented runbooks for security incidents
- Breach notification per regulatory deadlines (GDPR 72h, HIPAA 60d, CCPA 30d)
- Postmortems published at status.wave.online/postmortems
Encryption
- TLS 1.3 minimum (no SSL, TLS 1.0/1.1)
- AES-256-GCM at rest (Supabase + Cloudflare R2)
- ChaCha20-Poly1305 in transit where TLS 1.3 negotiates it
- Argon2id for password hashing (Supabase)
- HMAC-SHA256 for API key and token signing
- Per-org PEPPER for HMAC subject hashing (org-scoped privacy)
Workforce security
- Background checks for personnel with PII access
- Annual security and privacy training (mandatory)
- Annual workforce HIPAA training where applicable
- Code of Conduct + AUP signed at hire
- Same-day access revocation on termination
Penetration testing and audits
- Annual external penetration test
- Quarterly internal vulnerability scans
- Bug bounty program at wave.online/security/responsible-disclosure
- SOC 2 audit + report (in progress)
Request enterprise documents
Enterprise security teams may request, under NDA: full SOC 2 Type II report (on completion); penetration test report; vendor questionnaire response (typical SIG, CAIQ, or custom); architecture deep-dive call. Contact [email protected] or [email protected].
Related
Trust Center · Data Processing Agreement · Subprocessors · Responsible Disclosure