← Back to Waypath

Compliance

Our commitments to data protection regulations and industry standards.

Waypath is built to help businesses understand their customer engagement data. We recognize that this responsibility comes with strict obligations around data protection, privacy, and regulatory compliance. This page outlines our current compliance posture and ongoing commitments.

1. GDPR Readiness

COMPLIANT

Waypath is designed to comply with the General Data Protection Regulation (EU) 2016/679. Our GDPR commitments include:

1.1 Lawful Basis for Processing

• Contract performance: Processing necessary to provide the Service you have subscribed to
• Legitimate interest: Analytics and product improvement using aggregated data
• Consent: Marketing communications and optional analytics tracking

1.2 Data Subject Rights

We support all data subject rights under GDPR:

• Right of access (Article 15) -- request a copy of your personal data
• Right to rectification (Article 16) -- correct inaccurate data
• Right to erasure (Article 17) -- request deletion of your data
• Right to restriction (Article 18) -- limit how we process your data
• Right to data portability (Article 20) -- export your data in machine-readable format via our API
• Right to object (Article 21) -- object to processing based on legitimate interest

Requests are processed within 30 days. Contact compliance@waypath.app to exercise any right.

1.3 Data Protection by Design

• Workspace isolation ensures tenant data is separated at the storage layer
• Identity resolution uses privacy-preserving matching (hashed identifiers)
• Minimum necessary permissions for all third-party integrations
• Data minimization in analytics collection

2. CCPA Compliance

COMPLIANT

For California residents, Waypath complies with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• No sale of personal information: We do not sell personal information to third parties
• Right to know: We disclose the categories and purposes of data collection in our Privacy Policy
• Right to delete: California residents may request deletion of their personal information
• Right to opt out: Although we do not sell data, we provide opt-out mechanisms for data sharing with service providers where applicable
• Non-discrimination: We do not discriminate against users who exercise their privacy rights

3. Data Processing Agreements

We provide Data Processing Agreements (DPAs) to customers who require them for GDPR compliance or other regulatory purposes. Our standard DPA includes:

• Description of processing activities, data categories, and data subjects
• Obligations of the processor (Waypath) and the controller (you)
• Sub-processor notification and approval procedures
• Standard Contractual Clauses (SCCs) for international data transfers
• Data breach notification procedures (within 72 hours)
• Audit rights and cooperation obligations

To request a DPA, contact compliance@waypath.app.

4. Data Residency

Waypath offers data residency options to meet your regulatory requirements:

Region	Location	Status
United States	US East (Virginia)	AVAILABLE
European Union	EU West (Frankfurt)	AVAILABLE

Data residency selection is configured at the workspace level. Once set, all workspace data (graph store, CRM records, integration credentials) is stored and processed exclusively within the selected region. Contact us to discuss additional regions.

5. Subprocessors

Waypath uses the following subprocessors to deliver the Service. We notify customers of subprocessor changes at least 30 days in advance.

Subprocessor	Purpose	Location
Composio	OAuth connection management and third-party integration authentication	United States
Vercel	Application hosting, CDN, and edge deployment	Global (edge network)
Supabase (planned)	User authentication and account metadata storage	US / EU (configurable)

We evaluate all subprocessors for security practices, data protection policies, and compliance certifications before engagement. Each subprocessor is bound by a data processing agreement.

6. Certifications and Standards

Security Controls Summary

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Multi-tenant workspace isolation
• JWT-based authentication with configurable expiry
• API key management with hashed storage and instant revocation
• Role-based access control (workspace scoping)
• Continuous dependency vulnerability scanning
• Incident response and breach notification procedures

For more details, see our Security page.

7. Right to Audit

Enterprise customers with a signed DPA have the right to audit Waypath's data processing practices. We support audits through:

• Documentation review: Access to our security policies, procedures, and control descriptions
• Questionnaire responses: We complete standard security questionnaires (SIG, CAIQ, VSAQ) upon request
• Third-party audit reports: SOC 2 reports (when available) and penetration test summaries
• On-site or remote audit: Available by mutual agreement, with reasonable advance notice and scope limitations to protect other customers' data

To request an audit or security review, contact compliance@waypath.app.

8. Data Retention and Deletion

• Active accounts: Data is retained for the duration of your subscription
• Account closure: Data is available for export for 30 days, then permanently deleted within 90 days (including backups)
• Deletion requests: Individual data deletion requests under GDPR or CCPA are processed within 30 days
• Integration data: When you disconnect an integration, synced data remains in your workspace until you delete it

9. Regulatory Updates

We actively monitor regulatory developments affecting data protection and privacy, including:

• EU AI Act requirements for AI-generated insights and scoring
• Evolving US state privacy laws beyond CCPA
• International data transfer mechanisms (EU-US Data Privacy Framework)
• Sector-specific regulations that may apply to our customers' use cases

This page is updated as our compliance posture evolves. Last updated: March 27, 2026.

10. Contact