Security & privacy
We go the extra mile on your data
Wavemist handles real, sensitive information — wages, contacts, the last-4, the shows you work. So we built privacy in from the first line of code, not bolted on later. Here's exactly how, and how it stacks up against the way this work is done today.
🛡️ Safer by every measure
How Wavemist compares to how it's done today.
spreadsheets
app
Every kind of data — and how each stays safe
Wavemist holds more than worker records. Quotes, prices, vendors, bids, budgets, documents — each kind of data is protected in the way that fits it.
Your bids, quotes & prices
Locked to your account by row-level security, encrypted in transit and at rest. We never show one company’s prices to another, and we never sell your data.
Vendors & crew you track
The contacts, rates, and notes you save are private to your account — not pooled into something other users can browse.
Documents you upload
Riders, quotes, call sheets — stored privately and locked to your account. AI reads them to pull out the useful details; the providers we use don’t train on your data, and no one else can see your files.
Market benchmarks
When Wavemist shows you a going rate, it’s built from anonymized, aggregated figures — never traceable to a single vendor or quote, and only shown once enough independent sources exist that no individual price can be reverse-engineered. Early or directional numbers are labeled as such. We surface patterns, never anyone’s individual number.
Worker data (Dispatch)
Names, the last-4, wages, and contracts get the strongest treatment: per-person access plus AES-256 field encryption with keys our database never holds. A member can never see another member’s pay, and each union local is sealed off from every other.
Show budgets & carbon
Your estimates, actuals, and footprint stay locked to your account. The numbers that make your shows work are yours alone.
Your account & sign-in
Authentication runs on SOC 2-certified infrastructure; session tokens live in secure, http-only cookies — never in browser storage a script could read.
The controls behind all of it
🔒 Access control
Row-level security on every table from the first line of code — the database itself refuses to hand a record to anyone but its owner and their authorized staff. Each workspace and each hall is sealed off from every other. Least-privilege throughout.
🔐 Encryption
Encrypted in transit (TLS) and at rest. The most sensitive fields — names and the member last-4 — get AES-256 field-level encryption with keys our database never holds, so even raw database access yields ciphertext.
🛡️ Privacy by design
We collect only what the work needs, and we never sell it. When the platform learns, it learns only de-identified patterns — never an individual, and never a group smaller than five. Your numbers stay yours.
🤖 AI data processing
We use AI to read documents so you don’t retype them. The providers we use do not train their models on your data, and we don’t retain the source images. It’s transcription, not surveillance.
📉 Monitoring
Error reporting automatically scrubs names, emails, and IPs before anything is recorded — no personal information lands in a log file. Security-relevant events are captured to a service-role-only audit trail.
🏛️ Built on certified infrastructure
Database & storage (Supabase): SOC 2 Type II, ISO 27001, HIPAA, PCI DSS. Hosting & network (Vercel): SOC 2 Type II, ISO 27001. AI (Anthropic): SOC 2 Type II, ISO 27001 & 42001. These cover the platforms we build on; our controls protect your data on top of them.
Where we're headed
We're built to the SOC 2 standard; our own company-level audit is in progress. Self-serve data export and deletion are on the roadmap. We'd rather tell you what's next than overstate what's done.
Found a security issue? We want to hear it — admin@wavemist.io.
Start free or see pricing.