Security
Last updated: July 5, 2026
A plain-language summary of how Waverunner protects your account, your money, and your data.
1. Account authentication
- Passwordless sign-in. There are no passwords to leak or reuse. Sign-in uses one-time codes sent to your verified email.
- Two-factor authentication. Optional TOTP 2FA (authenticator apps) with backup codes, enrolled from Settings.
- Sessions use httpOnly cookies bound to a single canonical origin.
2. Payments
All payments run through Stripe. Card numbers never touch Waverunner’s servers; we store only Stripe’s references. Wallet accounting is double-entry and idempotent: a campaign day can never be charged twice, and every movement is visible in your ledger.
3. Data protection
- PII hashing. Emails and IP addresses captured by the tracking tag are hashed with a salt before storage; raw identifiers are never written to the database.
- Tenant isolation. Every piece of data belongs to exactly one organization. Users may belong to several organizations; each request runs in the active organization context, and every query is scoped to it.
- Encryption in transit. All traffic is served over TLS, fronted by Cloudflare.
4. API security
API keys are organization-scoped bearer tokens with enforced rate limits (120 reads/minute, 30 writes/minute, export 5/hour). Keys can be revoked instantly from Settings.
5. Infrastructure
Waverunner runs on Fly.io with Postgres hosted by Neon, Cloudflare for DNS/CDN/DDoS protection, and continuous error monitoring. Deploys are automated from CI, and a failing build never reaches production.
6. Responsible disclosure
Found a vulnerability? Email support@waverunner.adwave.com with details and steps to reproduce. We investigate every report and appreciate coordinated disclosure.