Privacy-first architecture
WaverSec Protect is designed to minimize retained message data. Policy and DLP engines run on-device, ML/NLP scanners can run in your environment, and optional cloud AI is reserved for deeper analysis when customers enable it.
Search section titles and key privacy topics, then jump straight to the relevant part of the page.
Not like traditional solutions
Traditional email security often depends on broad inbox access or mail-flow changes. WaverSec Protect is designed to minimize retained message data and avoid that deployment pattern.
WaverSec Protect
- On-device + on-prem processing
- No inbox replication required
- No historic inbox training set required
- No mail-flow interception
- Core records exclude message bodies and files
Traditional DLP
- Cloud processing
- Full inbox replication
- Months of email history
- Complex mail flow changes
- Continuous data collection
Four layers, local-first
Our detection architecture prioritizes privacy boundaries. Two layers run on-device, one can run in your environment, and the advanced AI layer is optional and customer-controlled.
Policy Engine
47 policies
Fully on-device. Keeps core recipient and policy logic close to the sender.
DLP Engine
46+ detectors
Fully on-device. Handles structured content checks without creating retained message records.
ML/NLP Scanners
4 scanners
Can run in the customer environment for deeper contextual analysis.
AI/LLM Models
5 models
Optional cloud analysis under customer control for harder edge cases.
What we don't keep
Stored email bodies
Message content is not kept as an application record
Stored recipient lists
Recipient fields are not retained in service databases as part of normal operation
Stored attachment files
Attachment files are not kept in application databases
Inbox history replication
No mailbox copy or historical inbox mirror is required
Mail-flow copies
No SMTP relay archive is required for the current product design
Address book imports
The product does not require syncing an address book to operate
Ad-tech profiling
No cross-context behavioral advertising profile is built from product data
Training inbox datasets
The service does not require months of historic inbox data to start working
What we do store
WaverSec Protect still retains a limited set of operational data needed to run the service and manage customer environments.
Account and admin data
Authentication and account records can include names, email addresses, usernames, avatars, and internal account identifiers.
Organization configuration
We retain customer-administered settings such as organization names, internal domains, policies, allow lists, deny lists, segments, and related configuration.
Usage and billing records
We retain usage, seat, request, subscription, and payment reference data needed for quotas, support, analytics, and billing operations.
Cloud AI/LLM models add advanced context
When deeper context understanding is needed, optional cloud AI/LLM models can add analysis under customer control. They are separate from the core local processing layers.
Admin-enabled
Admins choose whether advanced AI/LLM analysis is available at all
Customer-controlled
Each organization decides how optional intelligence features fit its own governance model
Minimal context
Only the context needed for the requested analysis should be sent
Separate from core controls
Core protection still exists without enabling optional cloud intelligence
Usage metering retained
Operational usage counts and token metrics can still be stored even when message content is not
Provider terms still matter
Customers should review the AI provider and contractual terms that apply to their chosen deployment
GDPR Compliance
- Built in the EU (Estonia - Latent Labs OÜ)
- GDPR-native architecture from day one
- Data minimization by design
- No retained message bodies or attachment files in service databases
- No inbox replication
Security Measures
- TLS for supported API communications
- API key rotation controls
- Rate limiting and abuse protection
- Data minimization in product design
Privacy Questions
Common questions about data handling and privacy.
Is my email data sent to WaverSec servers?
Core policy and DLP checks run on-device. Additional scanners can run in the customer environment, and optional cloud AI can be enabled for deeper analysis. WaverSec Protect is designed so message bodies, recipient lists, and attachment files are not retained in its application databases as normal service records.
Do you store attachments?
WaverSec Protect is designed not to keep attachment files in its application databases as part of normal operation. The service still stores operational data such as accounts, configuration, usage records, and billing references.
Where is data processed?
Policy and DLP engines run locally on the device. Additional scanners can run in the customer environment. Optional cloud AI features are separate and customer-controlled. Operational account, config, usage, and billing data are retained to run the service.
Is advanced AI an additional layer?
Yes. Cloud AI/LLM models are an optional additional layer under admin control. On-device policies and DLP detectors, combined with customer-side scanners, can still provide strong protection without that layer.
Is telemetry optional?
Landing-site analytics are presented through a consent banner where required. Optional product analytics in the admin dashboard and Outlook add-in are disabled by default and can be managed by an organization administrator through the admin dashboard's Optional product analytics setting. The Outlook add-in follows that organization setting. Operational usage and security records needed to run WaverSec Protect are still collected regardless.
Can I delete all my data?
Deleting your organization removes the associated configuration, usage records, and subscription links in the current service design. Account deletion removes the linked admin account as well. Some records can still be retained longer if needed for legal, tax, or security reasons.
Ready to prevent accidental email data leaks?
Secure outbound email in minutes. Start your free trial.