In-transit and at-rest encryption
All traffic to and from waxTable is encrypted via TLS 1.2+. Data at rest is encrypted with AES-256 across databases, object storage, and backups.
Tenant isolation
Every workspace is isolated via row-level security predicates enforced in PostgreSQL. Membership is checked at every read and write; cross-workspace access is impossible by design.
Authentication and authorization
- OAuth via Google and Microsoft, plus email magic-link and password fallbacks.
- MFA required for Owner and Admin roles on Business and Enterprise plans (FR-009a).
- Session lifetime, IP-pinning, and device-trust controls available on Business+ plans.
Penetration testing
Annual third-party penetration testing on Business and Enterprise plans (NFR-038). Reports available under NDA for prospective Enterprise customers.
Reporting a vulnerability
Email security@waxtable.com. We acknowledge within 24 hours and aim to triage within 72.