Security

All services are hosted in the EU (Frankfurt, Germany) on Vercel and Supabase infrastructure. Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Our infrastructure providers maintain SOC 2 Type II certification.

Customer code access is scoped to the minimum required for service delivery. Access credentials are rotated regularly. All access is logged and auditable. Team members use hardware security keys for authentication.

QAWave agents operate within your CI/CD environment — they don't copy your code to external systems. Agent outputs (generated tests, fix proposals) are committed directly to your repository via standard Git workflows.

Every agent action is logged with a full audit trail: what was read, what was generated, what was proposed. This log is available to customers.

GDPR compliant from day one — EU-hosted data, DPA available on request. SOC 2 Type I certification in progress (target Q3 2026). EU AI Act transparency requirements met. Compliance documentation available to prospective customers under NDA.

If you discover a security vulnerability in QAWave's systems, please report it to security@qawave.ai. We commit to acknowledging reports within 24 hours and providing updates on remediation progress.