Compliance // Waypath

Waypath holds itself to the same compliance bar as the systems it integrates with. SOC 2 Type II in progress. GDPR + CCPA aligned today. Standard Contractual Clauses for cross-border transfers. Self-serve sub-processor list and DPA for any customer that asks.

01Certifications & standards

C·01IN PROGRESS

SOC 2 / TYPE II

Q3 2026 · Prescient Assurance

C·02► LIVE

GDPR

EU region available · DPA on request

C·03► LIVE

CCPA

California residents · opt-out honored

C·04► LIVE

EU-US DPF

Self-certified · active 2026

C·05Q4 2026

ISO 27001

Surveillance audit · scoped

C·06Q1 2027

HIPAA · BAA

Health vertical · roadmap

C·07N/A

PCI DSS

No card data touches Waypath · Stripe handles all

C·08N/A

FedRAMP

Government use cases not currently supported

Lawful basis documented per processing activity — contract or legitimate interest, with opt-in for marketing
EU customers may select an EU region at workspace creation (Frankfurt, AWS eu-west-1)
Data subject requests handled within 30 days; route via the workspace settings or privacy@waypath.app
Privacy by design — derived state only; minimum data footprint per Data Model
DPO appointed: dpo@waypath.app

03CCPA / CPRA

California residents have rights to know, delete, and opt-out of the sale of personal information. Waypath does not sell personal information. "Do Not Sell or Share" links appear in workspace footers for accounts with California residents identified.

04EU-US Data Privacy Framework · SCCs

Waypath is self-certified under the EU-US Data Privacy Framework for transfers from the EEA. For data subject to the UK GDPR or Swiss FADP, we rely on the UK extension to the DPF and Swiss-US DPF respectively. Where DPF doesn't apply, transfers use the EU Commission's Standard Contractual Clauses (Module 2).

05Sub-processors

Sub-processor	Purpose	Location
AWS	Compute · storage · networking	US-East-1 · EU-West-1
Stripe	Billing · payment	US
Resend	Service email	US
Vercel	Marketing site CDN	Global edge
Sentry	Error monitoring	US
OpenAI · Anthropic	LLM inference (per workspace toggle)	US

You will receive at least 30 days' notice before any new sub-processor is added. Subscribe to subprocessors@waypath.app for changes.

06DPA

We sign a Data Processing Addendum with any customer that requests one. Pre-signed copies available for self-serve on Pro+ via the workspace admin panel. SCCs are incorporated by reference and apply automatically to EEA / UK / Swiss data subjects.

07Data export & portability

Every customer can export the full corpus of derived state — customers, signals, moves, outcomes — via POST /v1/exports. Output formats: NDJSON, Parquet, CSV. Exports include the source pointer back into your underlying systems.

08Trust requests

For procurement or security review, email trust@waypath.app with your firm domain. We respond within one business day with our up-to-date trust packet (security overview, SOC 2 readiness letter, sample DPA, pen test summary, sub-processor list).

WAYPATH INC. · NY · 2026 UPDATED · 2026-04-22 TRUST · trust@waypath.app ► SECURITY

Compliance.