Compliance attestation
Data residency
Where WAVE stores your data, who can access it, and how long it stays. Region-by-region breakdown of every vendor in the path.
Effective date: 2026-05-01 · Last reviewed: 2026-05-01
Region pinning
Enterprise customers can pin all PII + audit storage to US-only or EU-only regions via the inference_geo account setting. Default is multi-region edge.
At-rest encryption
AES-256 on every storage tier. Supabase + Cloudflare R2 + Vercel KV all encrypt by default. Customer-managed keys available for enterprise.
Right to deletion
GDPR/CCPA deletion requests honored within 30 days. EU AI Act Article 26 audit rows are excluded — they retain for 5 years per Article 26 §4.
Where each data type lives
Every customer datum is stored by exactly one of these vendors. We do not replicate to additional vendors without your written consent.
| Data type | Vendor | Default region | EU pin available |
|---|---|---|---|
| Account + auth | Supabase | us-east-1 | Yes (eu-west-1) |
| Stream metadata | Supabase | us-east-1 | Yes (eu-west-1) |
| Video + VOD | Cloudflare R2 | Multi-region edge | Yes (FRA jurisdiction) |
| Live ingest + delivery | Cloudflare Stream | Edge nearest viewer | No (CDN-by-design) |
| Argus audit + receipts | Supabase | us-east-1 | Yes (eu-west-1) |
| Payments | Stripe | US | No (Stripe-managed) |
| Crypto wallets + KYC | Privy + Bridge | US | No (vendor-managed) |
| AI inference | Anthropic / OpenAI / Ollama (local) | US (API) or local Mac Studio | Yes via Ollama-only mode |
| Application hosting | Vercel | Global edge | Edge-cached, no PII |
| Observability traces | Dash0 + Sentry | EU + US | Yes (Dash0 EU region) |
Retention buckets
Each data class has a defined retention period. After expiry the data is purged automatically by an Inngest cron — no manual sweep.
| Class | Retention | Why |
|---|---|---|
| Active stream metadata | Until deletion | User-controlled |
| VOD recordings | Per plan tier | Free 7d / Launch 30d / Scale 1y / Volume custom |
| Argus audit + Article 26 receipts | 5 years | EU AI Act §4 mandate |
| Payment records | 7 years | SOX + tax compliance |
| Application logs | 90 days | Operational only |
| Marketing analytics | 14 months | GA4 default |
Cross-border data transfer controls
For transfers from the EU/EEA/UK to the US, WAVE relies on Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework. Our DPA at /legal/dpa is GDPR Article 28 compliant and signed before any EU customer data is processed.
Enterprise customers can require all storage + processing to remain in their region (EU, US, or UK) — including AI inference via Ollama-only mode. Contact enterprise sales for regional pinning.
What happens when you delete your account
- Account marked deleted (soft) within 1 minute.
- Stream metadata + VOD recordings purged within 24 hours.
- Cloudflare R2 objects purged within 7 days (CDN cache TTL).
- Supabase rows purged within 30 days (GDPR/CCPA deadline).
- Backups age out within 35 days. After day 35, no copy exists.
- Argus + payment records retained per legal mandate (5y / 7y).
Data subject access requests (DSAR)
Email privacy@wave.onlinewith subject “DSAR” and we will respond within 30 days. Requests we honor:
- Export — all data we hold about you, in JSON
- Correct — fix inaccurate fields
- Delete — remove all non-mandated data (see retention)
- Restrict — pause processing while we resolve a dispute
- Portability — JSON export suitable for import to another platform
Related compliance pages
EU AI Act Article 26 →
5-year audit retention, immutable logs, per-agent decision-log export.
Data Processing Addendum →
GDPR Article 28 DPA. Signed before any EU customer data flows.
Agentic media SLA →
Availability, latency, retention guarantees for AI agent flows.
Privacy Policy →
Full GDPR + CCPA disclosure of data we collect and why.
Need a region pin or audit attestation?
Enterprise customers can require regional pinning + custom retention buckets. Procurement can request a signed compliance attestation.
Contact enterprise sales