The shortest version: least-privilege everywhere, encrypted in transit and at rest, isolated per workspace, audited continuously, no shared keys, no shared data planes. Full details below.
Encryption
AES-256 at rest. TLS 1.3 in transit. Per-workspace data keys, rotated quarterly.
Isolation
Per-workspace logical partition. No cross-tenant queries possible at the DB layer.
Uptime
30-day rolling. Live status at status.waypath.app.
SOC 2 II
Type II audit in progress with Prescient Assurance. Q3 2026 target.
01Summary
Security is a first-class product surface, not a checklist. We treat agent-fired actions on customer data the same way a bank treats wire transfers — every move is signed, logged, replayable, and revocable.
02Infrastructure
- Hosted on AWS US-East-1 (default) and EU-West-1 (Enterprise opt-in)
- VPC-isolated; no public IP egress except through the API gateway
- Workloads run in single-tenant containers per workspace; the orchestrator runs in a separate VPC
- All artifacts immutable; CI/CD pipelines signed via Sigstore
03Encryption
- In transit: TLS 1.3, HSTS preload, certs auto-rotated weekly via Let's Encrypt
- At rest: AES-256, AWS KMS-managed keys with per-workspace data encryption keys
- Secrets: AWS Secrets Manager + envelope encryption; no plaintext credentials in code or logs
- Backups: AES-256 encrypted, replicated to a separate region, 35-day rolling
04Access control
- SSO required for production access (Google · Microsoft · SAML)
- Hardware-key 2FA enforced for all engineers
- Just-in-time elevation; no standing admin in production
- Every privileged action emits an audit event; reviewed weekly
05Tenant isolation
Each workspace gets a logical partition keyed on workspace_id. Queries that don't include the partition key fail at the ORM layer. Per-workspace data keys mean even if one tenant's key is compromised, no other tenant's data can be decrypted.
06Monitoring
- 24/7 on-call rotation; PagerDuty escalation for P0/P1
- Anomaly detection on auth, API patterns, and agent fires
- Centralized logging via CloudWatch + Loki; logs retained 90 days
- External monitoring from 4 geographies
07Agent safety
The agents have capability boundaries — not just policy. Lead Designer can write artifacts but cannot fire them. Outreach can fire but cannot read PII outside its lane. Orchestrator routes but cannot directly fire. This is enforced at the runtime, not by prompt instructions.
Do-not-contact lists are enforced at the bus layer; agents physically cannot send to a blocked recipient.
08Incident response
- P0 (data exposure / outage): customer notification within 4 hours of confirmation
- P1 (degraded service): customer notification within 24 hours
- Post-mortem published within 14 days of resolution at status.waypath.app
09SDLC
- All code reviewed by at least one other engineer; security-sensitive code requires security-team review
- Dependencies scanned daily (Dependabot · Snyk); high CVEs patched within 7 days
- Annual penetration test by independent third party (next: 2026-Q3)
- SAST + DAST run on every PR
10Responsible disclosure
Found a vulnerability? Email security@waypath.app. We respond within 24 hours, fix critical issues within 7 days, and credit you on this page (or stay quiet if you prefer). Cash bounty up to $10,000 for high-impact, in-scope findings.