Security Overview

WaverSec Protect is designed around data minimization, least privilege, and reducing the amount of retained message data in WaverSec systems.

The current architecture emphasizes local or customer-side processing for core controls and uses optional cloud intelligence only where configured by the customer.

Administrative access to customer environments is mediated through authenticated product accounts and role-based application flows. Internal access to production systems is limited to personnel and subprocessors who require that access to operate or secure the service.

Supported API communications use transport encryption. Service endpoints also use validation, abuse controls, and rate-limiting patterns intended to reduce misuse and protect platform stability.

WaverSec uses logging, monitoring, and controlled operational workflows to support service reliability and incident response. Product settings, tokens, and API key lifecycle controls are managed through the service and related backend systems.

WaverSec Protect is designed so that message bodies, recipient lists, and attachment files are not retained in WaverSec application databases as normal service records. Operational data such as account, configuration, usage, and billing data is still retained where needed to operate the service.

WaverSec investigates confirmed security incidents and takes reasonable containment, remediation, and communication steps appropriate to the incident. Where WaverSec is acting as processor for customer data, relevant customers will be notified without undue delay after awareness of a confirmed incident affecting their personal data, subject to legal and operational constraints.

Customers are responsible for their user administration, deployment decisions, policy design, endpoint security, mailbox governance, and the lawfulness of their own use of WaverSec Protect.

WaverSec is responsible for the security of the service components it operates directly and for managing subprocessors consistent with the customer agreement and applicable law.

WaverSec currently uses Clerk for identity and authentication, Vercel for application hosting and edge delivery, Neon for managed database hosting, PostHog for optional analytics, and OpenAI and Anthropic for optional AI capabilities that a customer enables.

Those providers are selected and used as part of operating the service, and data shared with them is limited to what is reasonably needed for the relevant function.