Security & Compliance
Built for regulated industries.
HIPAA. PCI-DSS. TCPA. HMAC webhooks. Audit trails. Compliance isn't a feature — it's the architecture.
HIPAA BAA
Available
PCI-DSS
Scoped
TCPA
Automated
SOC 2
In progress
AES-256
Audio storage
Compliance Coverage
Regulated industries. Enforced at the infrastructure layer.
HIPAA BAA
Platform & Enterprise- Business Associate Agreement available on Platform and Enterprise plans
- All call audio stored in Backblaze B2 with AES-256 encryption
- PHI redacted from voicemail extractions before storage
- Access logs retained 7 years
PCI-DSS Scope Reduction
All Plans- Card numbers are never spoken into call transcripts
- Extraction layer masks PANs before storage
- Reduces your PCI scope for phone-based payment flows
- No cardholder data environment (CDE) on WFW infrastructure
TCPA Automation
All Plans- Automated calling restricted to 8am–9pm local time for the recipient
- TCPA compliance rules enforced at the Tool Gateway layer
- Bots cannot override calling-hours restrictions
- Do-not-call list scrubbing before any outbound campaign
HMAC-Signed Webhooks
All Plans- Every outbound webhook signed with HMAC-SHA256
- Timestamp included in every signature to prevent replay attacks
- 5-minute timestamp window — older requests rejected automatically
- Your systems verify signatures before processing any payload
SOC 2 Roadmap
In Progress- SOC 2 Type II audit in progress — expected Q3 2025
- Role-based access controls implemented and auditable
- Audit logging enabled for all privileged operations
- Encryption at rest and in transit across all services
Fair Housing Compliance
Real Estate Vertical- Prohibited phrases filtered at the Tool Gateway
- Agents cannot make statements that violate Fair Housing Act guidelines
- Steering language detection built into the extraction layer
- Audit log of filtered phrases available for compliance review
Legal Vertical
For Legal Teams
ABA Model Rules of Professional Conduct are enforced at the infrastructure layer — not left to individual agent prompts.
What WFW Enforces Automatically
- ✓No unauthorized practice of law — agents cannot provide specific legal advice
- ✓Mandatory attorney disclosure on first interaction
- ✓Conflict screening before any case discussion begins
- ✓Privilege warning before intake questions are asked
What You Configure
- Jurisdiction-specific rules and disclosures
- Practice area intake form questions
- Referral workflows for out-of-scope cases
- Fee structure and consultation scheduling
Data Architecture
Where your data lives — and who can see it.
Every data store is scoped to your client ID. Row-level multi-tenancy is enforced in every query — there is no code path that returns another tenant's data.
| Store | Contains | Security Properties |
|---|---|---|
PostgreSQL (Neon) Relational DB | Agent configs, call metadata, extraction results | Encrypted at rest, EU or US region, row-level tenant isolation |
Backblaze B2 Object Storage | Call audio files | HIPAA-eligible, AES-256 encryption, no third-party access, signed URL only |
Upstash Vector Vector DB | Knowledge base embeddings | No raw text stored — vectors only, scoped to clientId |
Redis (Upstash) Event Bus / Cache | Event bus, idempotency keys, rate limits | Ephemeral — 24h max key retention, no PII stored |
Row-level multi-tenancy
Every database row is scoped to clientId. No cross-tenant data leakage is possible — isolation is enforced at the query layer, not the application layer.
Auth Architecture
Zero-cookie, zero-CSRF bot surface.
The human dashboard and the bot API use entirely separate authentication models. There is no shared session state between the two surfaces.
Human Surface
- JWT session cookies (NextAuth) — secure, httpOnly
- 24-hour expiry with automatic rotation
- CSRF protection via SameSite=Strict cookie policy
- OAuth 2.0 social login (Google, GitHub) available
- MFA support via TOTP authenticator apps
Bot Surface
- Bearer tokens only — no cookies, no CSRF surface
- Scoped API keys — agents:read, agents:write, calls:read
- OAuth 2.1 client credentials flow
- Token binding to clientId — no cross-tenant token reuse
- API keys stored as bcrypt hashes — WFW staff cannot read your keys
Audit Trail
Every action. Every actor. Traced.
Every API call is logged with actor identity, timestamp, IP, user agent, and response status. Every automated action is traceable to the human-approved policy that authorized it.
“Why did my bot do that?” — one click in the dashboard shows you the policy that triggered the action, the call that caused it, and the exact response returned.
- ✓API audit log — every bot call with full context
- ✓Policy execution log — every automated action traced to its policy
- ✓Human action log — every dashboard interaction
- ✓Log retention: 90 days default, 7 years with HIPAA BAA
Audit Log — Recent Events
sa_bot_acme
POST /v2/agents
201 Created
2m ago
Policy: recall_reminder
wfw_send_confirmation_sms
Executed
4m ago
user@practice.com
Updated system prompt v4
Approved
12m ago
sa_bot_acme
GET /v2/calls?agent_id=...
200 OK
18m ago
Request the Security Package
Get the completed security questionnaire, DPA, HIPAA BAA, and subprocessor list in one email.
Questions about our compliance posture? Email security@workforcewave.com