Security & Trust

Built for systems thatcan't afford to be wrong

WaveForm feeds autonomous robots. A bad map isn't a glitch — it's a safety event. Every layer of the platform is designed so that what a robot consumes is provably what you signed off on.

How we protect your data

Defense in depth, from the capture device to the robot in the field.

🔏

Cryptographically signed packs

Every nav-pack version is signed with a KMS-backed asymmetric key (Ed25519, ECDSA-P256, or RSA-PSS). The private key never leaves the HSM. Robots verify the signature before trusting a map.

🔁

Continuous re-verification

Signatures aren’t just checked at publish — a scheduled worker re-verifies every active signature on a cadence, flips status to invalid on any drift, and pages on-call.

🧾

Append-only audit log

Every publish, status change, grant, revocation, and token issuance writes an immutable audit row. You can reconstruct exactly which pack version any robot held at any time.

🛡️

Row-level access control

Every resource is scoped to an owning customer. A row-level ACL predicate combines visibility + explicit cross-org grants on every read — no customer sees another’s data by default.

🔐

Encryption everywhere

TLS in transit, KMS-encrypted S3 at rest for layer bytes, Secrets Manager for HMAC + DB credentials. Capture bundles are device-signed before the server will accept them.

🤖

Revocable robot identity

Robots authenticate with per-device tokens carrying a unique jti. A compromised robot is revoked instantly — no fleet-wide key rotation, no downtime.

Compliance roadmap

Where we are, and where we’re headed.

In progress

SOC 2 Type II

Controls implemented; observation window underway. Report available under NDA to enterprise prospects.

Live

Data Processing Agreement

Standard DPA available for customers processing personal or regulated data. See /legal/dpa.

Live

Audit logging + retention

Append-only audit events with permanent retention; true deletion only on documented regulatory request.

Planned

ISO 27001

On the roadmap as enterprise demand warrants. Talk to us about timelines for your procurement.

Reporting a vulnerability

We welcome coordinated disclosure. Email security@waveform.vision with details and reproduction steps. We acknowledge reports within two business days and will keep you updated through remediation.

Evaluating WaveForm for a safety-critical deployment?

We’ll walk your security team through the signing chain, audit model, and data handling end to end.