> ## Documentation Index > Fetch the complete documentation index at: https://wavecnct.com/docs/llms.txt > Use this file to discover all available pages before exploring further. # Security > Wave Connect's security practices, certifications, and compliance ## Overview Wave Connect takes security seriously. We implement industry-standard security practices across infrastructure, application development, access management, and employee operations to protect your data and your team's information. For more details, visit [security.wavecnct.com](https://security.wavecnct.com). *** ## Compliance & Certifications | Certification | Details | | -------------------- | ----------------------------------------------------------------------------------------------------- | | **SOC 2 Type II** | Certified. Report available under NDA — contact [security@wavecnct.com](mailto:security@wavecnct.com) | | **CSA STAR Level 1** | Listed in the Cloud Security Alliance STAR registry | | **GDPR** | Fully compliant. Data Processing Agreement available for enterprise customers | | **EU AI Act** | Compliant with applicable requirements | **Security standards followed** (not certified, but aligned): * OWASP Top 10 * CSA CAIQ * CIS benchmarks * NIST-aligned practices *** ## Infrastructure Wave's infrastructure is built on managed cloud services, operating under a shared responsibility model with our providers. | Provider | Role | | ------------------------- | -------------------------------------------------------- | | **Google Cloud Platform** | Core application infrastructure, compute, and networking | | **Vercel** | Frontend delivery and edge network | | **PlanetScale** | Database (MySQL-compatible, globally distributed) | | **Cloud Storage** | File and asset storage | Infrastructure is designed for high availability with automatic failover. All providers maintain their own independent security certifications (SOC 2, ISO 27001). *** ## Data Residency * Customer application data is stored and processed in the **United States** * Data is processed only in approved regions * Enterprise customers can inquire about data residency options A full list of sub-processors is available in our [Data Processing Agreement](https://www.wavecnct.com/legal/data-privacy-addendum). *** ## Encryption **In transit** * TLS 1.3 for all connections * HTTPS enforced across all endpoints * HSTS enabled **At rest** * AES-256 encryption for all stored data * Cloud-managed encryption keys via Google Cloud KMS * Key rotation and access controls enforced through Secret Manager *** ## Identity & Access Management **Authentication options** * SAML 2.0 Single Sign-On * OpenID Connect (OIDC) * SCIM 2.0 automated provisioning and deprovisioning **Multi-factor authentication** * Enforced through your SSO provider when SAML or OIDC is enabled **Role-based access control** | Role | Access | | ----------- | -------------------------------------------------------------------- | | **Owner** | Full account access, including billing and plan management | | **Admin** | Manage users, templates, contacts, and settings | | **Manager** | Manage team leads and distribute templates, no company-wide settings | | **Member** | Use their assigned digital business card and view their own contacts | | **Viewer** | Read-only access | **Least privilege** * All internal access follows the principle of least privilege * Quarterly access reviews conducted internally * Automated deprovisioning through SCIM when users leave *** ## Password Security * Minimum password length and complexity requirements enforced * Account lockout after repeated failed login attempts * Secure password reset via verified email * Session timeout enforced on inactivity *** ## Application Security **Secure development lifecycle** * Threat modeling as part of feature design * Mandatory peer code review and pull request approval before merging * Security requirements reviewed at each release * Dedicated release approval process **Static analysis and scanning** * CodeQL static analysis on all code changes * Automated dependency vulnerability scanning * Secret scanning to prevent credential leaks in code **Secure coding practices** * OWASP Top 10 guidelines followed * Input validation and output encoding enforced * Dependency updates applied on a regular cadence *** ## Vulnerability Management **Scanning** * Continuous automated dependency scanning * Infrastructure vulnerability scanning **Patch management timelines** | Severity | Target remediation | | -------- | ------------------ | | Critical | 24 hours | | High | 7 days | | Medium | 30 days | | Low | 90 days | **Penetration testing** * Independent third-party penetration test conducted annually * Findings are triaged and remediated according to severity timelines *** ## Monitoring & Logging **Logs collected include:** * Authentication events (login, logout, failed attempts) * Admin actions (user changes, settings updates) * API activity * Security events **Monitoring** * 24/7 cloud infrastructure monitoring via Google Cloud Monitoring * Automated alerting on anomalies and security events * Suspicious login detection *** ## Incident Response Wave maintains a formal Incident Response Plan covering: * **Severity classification**: Critical, High, Medium, Low * **Investigation process**: containment, analysis, and evidence preservation * **Root cause analysis**: post-incident review for all significant events * **Customer notification**: affected customers are notified promptly in accordance with regulatory requirements * **Regulatory notification**: GDPR breach notifications within 72 hours where applicable * **Post-mortems**: documented and reviewed internally after major incidents To report a security vulnerability, contact [security@wavecnct.com](mailto:security@wavecnct.com). *** ## Business Continuity & Backups **Recovery objectives** * RTO (Recovery Time Objective): 4 hours * RPO (Recovery Point Objective): 1 hour **Business Continuity Plan** * Formal BCP in place and tested semi-annually * Disaster Recovery Plan tested on a regular basis **Backups** * Daily automated backups * Backups encrypted at rest * Restore testing performed regularly * Backup retention aligned with data classification policies *** ## Availability * High availability architecture with automatic failover * Status page available at [status.wavecnct.com](https://status.wavecnct.com) * SLA available for Enterprise customers *** ## Network Security * Google Cloud Firewall and Cloud Armor * DDoS mitigation at the network and application layer * Rate limiting on all API endpoints * OWASP-aligned protections (injection, XSS, CSRF) * Intrusion detection and prevention systems (IDS/IPS) *** ## Endpoint Security All employee devices are subject to: * Full disk encryption * Company-managed device policy * Antivirus and endpoint protection * Automatic OS and security updates * Screen lock enforcement * Minimum device requirements for remote access *** ## Physical Security Wave is a remote-first company. There are no on-premises data centers. Physical infrastructure security is managed by Google Cloud, whose data centers are independently certified to ISO 27001, SOC 2, and other standards. Employees follow secure home office requirements, and devices are securely disposed of at end of life. *** ## Employee Security * Background checks conducted for all employees * Security awareness training at onboarding * Quarterly security and privacy training * Acceptable Use Policy signed by all employees * Confidentiality agreements in place *** ## Vendor Security Wave maintains a Vendor Risk Management Program. Third-party providers are reviewed before onboarding and assessed based on their security posture (SOC 2 reports, security questionnaires, and vendor assessments). **Key sub-processors** | Vendor | Purpose | | ------------ | ----------------------------- | | Google Cloud | Infrastructure and compute | | Vercel | Frontend and edge delivery | | PlanetScale | Database | | Twilio | SMS communications | | Stripe | Payment processing | | Shopify | E-commerce | | Zendesk | Customer support | | Microsoft | Productivity and integrations | | MaxMind | IP geolocation | Full sub-processor list available in our [Data Processing Agreement](https://www.wavecnct.com/legal/data-privacy-addendum). *** ## AI Security Wave uses AI in the following features: * **Universal Badge Scanner**: OCR to extract contact information from business cards and event badges * **Contact enrichment**: Filling in missing profile fields from public sources * **Content moderation**: Detecting policy-violating content on profiles **Key statements:** * Customer data is **not** used to train AI models * AI features can be disabled where applicable * AI providers are disclosed in our sub-processor list *** ## Data Classification | Classification | Description | | ---------------- | ------------------------------------------------------- | | **Public** | Marketing content, public-facing documentation | | **Internal** | Operational data, internal communications | | **Confidential** | Customer data, business data, security configurations | | **Restricted** | Authentication credentials, encryption keys, audit logs | *** ## Data Protection * Logical tenant isolation: each organization's data is separated at the application and database level * Role-based access control prevents cross-tenant data access * Audit logging for all sensitive operations * Data minimization principles applied at collection *** ## Enterprise Security Features Authenticate users through your identity provider via SAML 2.0 or OIDC. Automate user provisioning, deprovisioning, and team mapping. Use your own domain for Wave profiles and sharing links.