← Back to Waypath
Security
How we protect your data and the infrastructure that powers Waypath.
Security is foundational to everything we build at Waypath. Our platform processes sensitive customer engagement data and connects to critical business systems, so we hold ourselves to a high standard of protection at every layer.
1. Encryption
1.1 Data in Transit
All communication with Waypath is encrypted using TLS 1.3. This applies to:
- Dashboard and website traffic (HTTPS)
- REST API requests and responses
- WebSocket connections for real-time graph updates
- All communication with third-party integrations
We enforce HSTS (HTTP Strict Transport Security) headers and do not support legacy TLS versions (1.0, 1.1).
1.2 Data at Rest
All stored data is encrypted using AES-256 encryption. This includes:
- Graph data and workspace stores
- User credentials (passwords are salted and hashed with bcrypt)
- Integration credentials and OAuth tokens
- Database backups
2. Authentication and Access Control
2.1 User Authentication
Waypath uses JSON Web Tokens (JWT) for session management:
- Tokens are signed with a secure secret and expire after 7 days
- Tokens are transmitted only over encrypted connections
- Session tokens are stored in the browser's localStorage and are never included in URLs
- Failed login attempts are rate-limited to prevent brute-force attacks
2.2 API Key Security
Programmatic access to the Waypath API uses dedicated API keys:
- API keys use the
dsk_ prefix for easy identification and rotation
- Keys are displayed only once at creation time; stored values are hashed
- Each key is scoped to a specific workspace
- Keys can be revoked instantly through the dashboard or API
- Destructive graph operations (e.g., Cypher write queries) are blocked for API key authentication
2.3 OAuth Integrations
When you connect third-party platforms (HubSpot, Salesforce, Stripe, etc.), Waypath uses OAuth 2.0 for authorization:
- We never see or store your third-party passwords
- OAuth tokens are managed through our secure integration partner and encrypted at rest
- We request only the minimum permissions (scopes) necessary for each integration
- You can revoke access to any integration at any time from the Waypath dashboard or from the third-party platform directly
3. Infrastructure Security
- Application servers run in isolated environments with restricted network access
- Workspace data is isolated per-tenant; each workspace operates on its own data store
- Dependencies are continuously monitored for known vulnerabilities
- Server access is restricted to authorized personnel with multi-factor authentication
- All infrastructure access is logged and auditable
4. Application Security
- Input validation and parameterized queries to prevent injection attacks
- Cypher query sanitization to block destructive operations from untrusted sources
- Content Security Policy (CSP) headers to mitigate cross-site scripting (XSS)
- CORS restrictions to prevent unauthorized cross-origin requests
- Regular code reviews and automated static analysis
5. Compliance
SOC 2 Type II
IN PROGRESS
We are actively pursuing SOC 2 Type II certification. Our security controls are designed to meet the Trust Services Criteria for Security, Availability, and Confidentiality. Contact us for a current status update or to request our security questionnaire.
For more details on our compliance posture, visit our Compliance page.
6. Vulnerability Disclosure Program
We value the work of independent security researchers and welcome responsible disclosure of vulnerabilities.
6.1 Reporting a Vulnerability
If you discover a security vulnerability in Waypath, please report it to:
6.2 Disclosure Guidelines
- Provide a detailed description of the vulnerability, including steps to reproduce
- Allow us reasonable time (90 days) to investigate and remediate before public disclosure
- Do not access, modify, or delete data belonging to other users
- Do not perform denial-of-service attacks or social engineering against our team
6.3 Our Commitment
- We will acknowledge receipt of your report within 2 business days
- We will provide an initial assessment within 5 business days
- We will not pursue legal action against researchers who follow these guidelines
- We will credit researchers (with permission) in our security advisories
7. Incident Response
In the event of a security incident:
- Our incident response team is activated immediately upon detection
- Affected users will be notified within 72 hours of confirmed data breaches, as required by GDPR and other applicable regulations
- We conduct post-incident reviews and publish root cause analyses for significant events
- Remediation steps are implemented and verified before the incident is considered resolved
8. Security Contact