Wave is SOC 2 Type 1 compliant. Recordings, transcripts, and summaries are encrypted in transit and at rest, never used to train AI models, and can be permanently deleted at any time. Below is exactly how Wave handles your data — and what we will and won’t do with it.
An independent auditor evaluated Wave against the AICPA’s Trust Services Criteria — security, availability, processing integrity, confidentiality, and privacy. Our SOC 2 report is available under NDA on request to support@wave.co. Read more about what the audit covered in our SOC 2 announcement.
Your audio, transcripts, and summaries are not used to train speech-recognition or summarization models — and we do not authorize the third-party processors Wave relies on to use your content for training either. This applies on every plan, including the free tier.
Recordings and transcripts are encrypted in transit with TLS 1.2+ and at rest with AES-256. Customer data lives in Google Cloud’s Firestore, inside Google’s data centers, under their physical, network, and operational controls. Authentication is industry-standard, with rate limits and audit logging on sensitive actions.
Every recording, transcript, and summary belongs to you. You can delete individual recordings at any time, or permanently delete your entire account and all data from Settings. Deleted data is removed from active systems and purged from backups on our standard retention cycle. Read the full privacy policy.
Wave is not HIPAA compliant and is not designed for protected health information. Do not use Wave to record patient appointments or other HIPAA-regulated content. Recording laws vary by jurisdiction — see our guide to meeting recording laws before recording in regulated contexts.
Email security@wave.co with details. We aim to acknowledge reports within one business day and follow coordinated disclosure on legitimate findings.
Yes. Wave is SOC 2 Type 1 compliant. An independent auditor evaluated Wave's security, availability, processing integrity, confidentiality, and privacy controls against the AICPA's Trust Services Criteria.
No. Wave does not use your recordings, transcripts, or summaries to train AI models — on any plan, including the free tier. Your audio and content are not shared with third parties for training.
Recordings, transcripts, and summaries are encrypted in transit with TLS 1.2+ and at rest with AES-256 inside Google Cloud's Firestore. Authentication is industry-standard with rate limits and audit logging on sensitive actions.
Customer data — recordings, transcripts, summaries — is stored in Google Cloud (Firebase / Firestore), inside Google's data centers, under their physical, network, and operational security controls.
Only you, and anyone you explicitly share a recording with. Wave employees do not access customer recordings except in narrow, audit-logged cases required for support — and only with your explicit consent.
Yes. You can delete individual recordings from inside any Wave app, and you can permanently delete your entire account and all associated data from Settings. Deleted data is removed from active systems and purged from backups on the standard backup retention cycle.
Wave for Teams includes centralized billing and an admin dashboard. For enterprise security needs (SSO, custom retention, custom DPAs), contact support@wave.co.
No. Wave is not HIPAA compliant and is not designed for protected health information. Do not use Wave to record patient appointments or any conversation that would create a HIPAA-protected record. Wave is intended for general-purpose business and personal recording.
Yes. Email support@wave.co with your company details and we will send our SOC 2 report under NDA, and a Data Processing Agreement on request.
Email security@wave.co with details. We aim to acknowledge reports within one business day and follow coordinated disclosure on legitimate findings.
Social Media
Use Cases
All rights reserved
Made with love in New York City