Built for systems thatcan't afford to be wrong
WaveForm feeds autonomous robots. A bad map isn't a glitch โ it's a safety event. Every layer of the platform is designed so that what a robot consumes is provably what you signed off on.
How we protect your data
Defense in depth, from the capture device to the robot in the field.
Cryptographically signed packs
Every nav-pack version is signed with a KMS-backed asymmetric key (Ed25519, ECDSA-P256, or RSA-PSS). The private key never leaves the HSM. Robots verify the signature before trusting a map.
Continuous re-verification
Signatures arenโt just checked at publish โ a scheduled worker re-verifies every active signature on a cadence, flips status to invalid on any drift, and pages on-call.
Append-only audit log
Every publish, status change, grant, revocation, and token issuance writes an immutable audit row. You can reconstruct exactly which pack version any robot held at any time.
Row-level access control
Every resource is scoped to an owning customer. A row-level ACL predicate combines visibility + explicit cross-org grants on every read โ no customer sees anotherโs data by default.
Encryption everywhere
TLS in transit, KMS-encrypted S3 at rest for layer bytes, Secrets Manager for HMAC + DB credentials. Capture bundles are device-signed before the server will accept them.
Revocable robot identity
Robots authenticate with per-device tokens carrying a unique jti. A compromised robot is revoked instantly โ no fleet-wide key rotation, no downtime.
Compliance roadmap
Where we are, and where weโre headed.
SOC 2 Type II
Controls implemented; observation window underway. Report available under NDA to enterprise prospects.
Data Processing Agreement
Standard DPA available for customers processing personal or regulated data. See /legal/dpa.
Audit logging + retention
Append-only audit events with permanent retention; true deletion only on documented regulatory request.
ISO 27001
On the roadmap as enterprise demand warrants. Talk to us about timelines for your procurement.
Reporting a vulnerability
We welcome coordinated disclosure. Email security@waveform.vision with details and reproduction steps. We acknowledge reports within two business days and will keep you updated through remediation.
Evaluating WaveForm for a safety-critical deployment?
Weโll walk your security team through the signing chain, audit model, and data handling end to end.