Security at WAVE
We build on a hardened, compliance-aligned stack and welcome responsible disclosure.
Defense in depth
Every request is authenticated, scoped, and metered at one edge gateway. Built on Cloudflare, Supabase, and Stripe — all SOC 2 Type II infrastructure.
Encryption
TLS in transit and at rest across the platform. Secrets are centrally managed and never committed to source.
Compliance posture
GDPR/CCPA aligned, HIPAA-ready under a signed BAA, EU AI Act Article 26 record-keeping, with a signed DPA available.
Auditability
Immutable audit records with multi-year retention, carried end to end through the gateway.
Responsible disclosure
Found a vulnerability? Email security@wave.online with details and reproduction steps. We acknowledge reports promptly, do not pursue legal action for good-faith research, and will credit you once a fix ships.