Wavetable

Security model

Security in Wavetable is architectural. The properties below are how the system is built, not settings you have to remember to enable.

Physical isolation per tenant

Each workspace gets its own database, its own coordinating runtime object, its own file storage prefix, and its own vector index namespace. There is no cross-tenant query path in the codebase, and no function accepts a tenant id from a request payload; tenancy comes only from the authenticated context.

Erasure by crypto-shredding

Event payloads and message bodies are envelope-encrypted with per-subject data keys. When you erase a person (your right under GDPR and similar laws), Wavetable shreds their keys, redacts their claims, and rebuilds projections. The append-only log stays append-only for audit integrity, while the erased data becomes permanently unreadable. See the privacy policy for the rights process.

Agents are structurally bounded

The edge agent and external MCP agents run with hard limits that live in the runtime, not in prompts:

  • read-only queries, row-limited and policy-scoped,
  • no external sends, ever, without a capability minted by an approved policy,
  • no claim acceptance, no projection writes: agents propose, humans approve,
  • per-seat daily budgets on tokens and tool calls.

Connector-derived content (emails, page content) is wrapped as untrusted data before any model sees it. A malicious email cannot instruct your agent; it is treated as material to analyze, never a message to obey.

Audit by construction

Approvals, policy changes, agent tool calls, MCP access, sends: each is an event in the same append-only log as everything else. The audit trail is not a separate product with gaps; it is the substrate.

Secrets

Connector credentials live in the platform secret store with per-tenant encryption. They are never stored in the tenant database and never appear in logs or model prompts.

Posture

Wavetable is designed against SOC 2 control objectives (access logging, change management through approvable artifacts) but is not yet SOC 2 certified. We say so plainly, and the security page has the current status and our responsible disclosure process.