Security & Compliance

Built on Trusted Infrastructure

We don't roll our own security. Waymaker is built on industry-leading providers—Clerk, Supabase, Vercel, and Cloudflare—each with independent SOC 2 Type II certifications. Your data is protected by the same infrastructure trusted by thousands of enterprises.

SOC 2 Certified ProvidersGDPR ReadyHIPAA Ready

Our Security Philosophy

Security isn't something you bolt on—it's how you build. We chose best-in-class providers because they have dedicated security teams, independent audits, and compliance certifications we couldn't achieve as quickly on our own. This means you get enterprise-grade security from day one.

No DIY Security

We don't store passwords, manage our own authentication servers, or implement custom encryption schemes. We use proven, audited solutions.

Defense in Depth

Multiple layers of protection: authentication at Clerk, RLS at Supabase, edge security at Vercel, and application-layer validation in our code.

Transparent Roadmap

We're honest about what we have today and what's coming. Our providers are SOC 2 certified—Waymaker's own certification is on the roadmap.

Security Features

Every feature designed with security as a requirement, not an afterthought.

Enterprise Authentication

Live

Powered by Clerk - industry-leading authentication with SSO, MFA, and session management. No passwords stored on our servers.

Row-Level Security

Live

Every database query is automatically filtered by organization. Your data is isolated at the database level, not just the application layer.

Encryption Everywhere

Live

TLS 1.3 in transit, AES-256 at rest. All connections encrypted. Sensitive data like signatures use additional application-layer encryption.

HIPAA-Compliant AI

Live

Automatic PHI detection routes sensitive healthcare data exclusively to BAA-covered AI providers. 6-year audit trails with SHA-256 hashing.

Security Headers

Live

Strict CSP, X-Frame-Options, HSTS, and modern security headers prevent XSS, clickjacking, and protocol downgrade attacks.

Audit Logging

Live

Comprehensive audit trails for compliance reporting. All authentication events, data access, and administrative actions are logged.

Access & Account Security

Comprehensive controls to protect your accounts, manage access, and maintain security at every level.

Authentication

  • Two-Factor Authentication (2FA/MFA)
    All Plans
  • SSO via SAML 2.0
    Coming Soon
  • SCIM User Provisioning
    Coming Soon
  • Magic Link & Passwordless Options
    All Plans
  • Social Login (Google, Microsoft, GitHub)
    All Plans

Session & Device Management

  • Active Session Visibility
    All Plans
  • Remote Session Revocation
    All Plans
  • Device Recognition & Trust
    All Plans
  • Configurable Session Timeouts
    Enterprise
  • IP-Based Access Restrictions
    Enterprise

Admin & Organization Controls

  • Role-Based Access Control (RBAC)
    All Plans
  • Organization & Team Management
    All Plans
  • Member Invitation & Removal
    All Plans
  • Granular Workspace Permissions
    All Plans
  • Admin Audit Logs
    Enterprise

Data Controls

  • Full Data Export (JSON/CSV)
    All Plans
  • Account & Data Deletion
    All Plans
  • AI Training Opt-Out
    All Plans
  • Data Retention Policies
    Enterprise
  • Custom Data Processing Agreement
    Enterprise

Authentication and identity management powered by Clerk — trusted by thousands of companies worldwide.

Compliance Frameworks

Where we stand today on major compliance frameworks—and what's coming.

GDPR

✓ Compliant

Full compliance with EU General Data Protection Regulation

Via: Clerk + Supabase

HIPAA

✓ Ready

Healthcare data protection with BAA-covered AI providers

Via: Anthropic BAA + PHI Detection

SOC 2 Type II

Via Providers

Our infrastructure providers are independently audited—Waymaker's own certification is on our roadmap

Via: Clerk, Supabase, Vercel, Cloudflare

CCPA

✓ Compliant

California Consumer Privacy Act compliance

Via: Clerk + Data Subject Rights

ISO 27001

Roadmap

Information security management certification

Via: Q2 2026

SOC 2 (Waymaker)

Roadmap

Direct Waymaker certification (in addition to provider certifications)

Via: Q3 2026

A Note on Compliance

Our infrastructure providers (Clerk, Supabase, Vercel) each hold their own SOC 2 Type II certifications. This means your data flows through certified, independently audited systems. Waymaker's own SOC 2 certification is planned for 2026 to provide an additional layer of assurance.

Security-First Infrastructure

Every component of our stack is chosen for security, reliability, and compliance.

Clerk
Authentication

Enterprise identity provider with MFA, SSO, and session management

SOC 2 Type IIGDPRHIPAA
Supabase
Database & Storage

PostgreSQL with row-level security and encrypted storage

SOC 2 Type IIHIPAA Eligible
Vercel
Hosting & CDN

Edge network with DDoS protection and automatic SSL

SOC 2 Type IIGDPR
Cloudflare
Edge Security & WAF

DDoS protection, Web Application Firewall, and global edge network

SOC 2 Type IIISO 27001PCI DSS
Anthropic
AI Provider (HIPAA)

BAA-covered Claude models for healthcare AI workloads

BAA AvailableSOC 2
OpenAI
AI Provider (General)

GPT models for non-PHI workloads with enterprise agreements

SOC 2 Type II
Google
AI Provider (General)

Gemini models for general AI workloads with enterprise security

SOC 2 Type IIISO 27001
xAI
AI Provider (General)

Grok models for conversational AI workloads

Enterprise Ready
Healthcare Ready

HIPAA-Compliant AI Routing

Waymaker automatically detects Protected Health Information (PHI) in AI requests and routes them exclusively to BAA-covered providers. Healthcare organizations can confidently use AI without compliance risk.

  • 3-Layer PHI Detection

    Workspace flags, pattern matching, and context analysis

  • Business Associate Agreement

    Signed BAA with Anthropic for Claude models

  • 6-Year Audit Trail

    HIPAA-required retention with SHA-256 hashed logs

  • No PHI Stored in Logs

    Only hashed references—actual content is never logged

How PHI Routing Works

1Request arrives with AI prompt
2Check workspace HIPAA flag
3Scan for PHI patterns (MRN, SSN, etc.)
Route to BAA-covered provider

Result: PHI never touches non-compliant infrastructure

Your Data, Your Control

We believe your data belongs to you. Waymaker is designed to give you complete control over your information, with transparency about how it's used and protected.

No Data Selling

Your data is never sold, shared with advertisers, or used to train AI models without explicit consent.

Data Export

Export all your data at any time in standard formats. No lock-in, no barriers.

Right to Deletion

Request complete deletion of your data. We honor all GDPR and CCPA data subject requests.

AI is Optional

All features work without AI. When you do use AI, your data is processed but never retained by providers.

Data Handling Summary

Your ContentEncrypted at Rest

Documents, tasks, and data are encrypted in PostgreSQL with Supabase's AES-256 encryption.

AuthenticationZero Knowledge

Clerk handles all authentication. We never see or store your passwords.

AI ProcessingNo Retention

AI providers process your prompts but don't retain or train on your data.

BackupsEncrypted

Daily automated backups with point-in-time recovery, all encrypted.

Data LocationUS / Global CDN

Primary data in US regions. EU data residency available for Enterprise plans.

Questions About Security?

We're happy to discuss our security practices, provide documentation for your compliance team, or arrange a security review.

Contact Security TeamRead Privacy Policy