Security & Privacy

Audio files and deliverables are stored on Amazon S3 in the eu-west-2 (London) region — the same infrastructure used by large-scale media companies. Every file is stored under a unique key that includes your organisation ID, so there is no way to access another organisation's files even if you know the filename.

Files are never stored on Waveflow's own servers. When you upload, your browser sends the file directly to S3 via a presigned URL with a short expiry window. Waveflow never touches the file bytes.

Review links and delivery links use cryptographically random tokens generated with Node.js crypto.randomUUID(). These tokens are not guessable or sequential.

When a reviewer opens a link, Waveflow checks that the token exists in the database and has not expired. If either check fails, the page returns a not-found response. There is no way to enumerate or guess valid tokens.

Delivery tokens can be revoked instantly by the project owner. Once revoked, the link stops working immediately.

Passwords are hashed with bcrypt at cost factor 12 before being stored. Waveflow never stores plain-text passwords and cannot recover them — only you know your password.

Sessions are stored in signed, HttpOnly cookies using HS256 JWT with a server-side secret. Cookies are flagged Secure (HTTPS only) and SameSite=Lax to prevent cross-site request forgery. Sessions expire after 30 days.

Login and signup are rate-limited by IP address to prevent brute-force attacks.

Clients who receive a review link can see and comment on the specific audio version that link was created for. They cannot see other projects, other versions, internal comments, your organisation dashboard, billing information, or any other project in your account.

Internal comments (marked as internal) are never shown on the client-facing review page.

Review links can be revoked at any time, after which the link stops working immediately.

All traffic is encrypted in transit via HTTPS with TLS. The application is hosted on Vercel's edge network with automatic SSL certificate management.

The application sets a Content-Security-Policy header to restrict where scripts, styles, media, and connections can originate. Additional headers include X-Frame-Options: DENY (prevents embedding in iframes), X-Content-Type-Options: nosniff, and Referrer-Policy: strict-origin-when-cross-origin.

Stripe payment processing is handled entirely by Stripe's servers. Waveflow never receives or stores card numbers. Stripe webhook events are validated with HMAC signatures before any action is taken.