Skip to content
Pre-Launch · Filing seed · Series A — Q4 2026

Trust center · 2026 baseline

Diligence-grade evidence, not marketing claims.

A trust center exists to give institutional counterparties — operators, clearing members, custody providers, auditors, regulators — the evidence they need to accept Wavestar as a vendor. This page describes our control posture, our third- party assurance roadmap, and the documents available under NDA.
Standards
AICPA SSAE 18 · ISO/IEC 27001
Next audit
SOC 2 Type II · Q3 2027
Pen-test cadence
Semi-annual · external
Contact
trust@wavestar.space

Program state · 2026

Where the program sits today.

Wavestar's first production systems launch in 2027. The control program is ahead of the product — the SOC 2 scope is written, the ISO 27001 Statement of Applicability is drafted, and the penetration-testing cadence is running against pre-production environments. Third-party assurance reports land alongside first-revenue systems.
SOC 2 Type II target
Q3 2027

Full Trust-Services-Criteria audit, 6-month observation window opens Q1 2027.

ISO/IEC 27001 target
2028

ISMS certification. Stage 1 audit Q2 2028, Stage 2 audit Q3 2028.

Penetration tests · annually
0

Semi-annual external tests plus quarterly internal red-team exercises.

Critical controls
0

Control inventory under the 2017 Trust Services Criteria, mapped to ISO 27001 Annex A.

Assurance roadmap

The third-party assurance calendar.

  1. Q1 2027Planned

    SOC 2 Type II observation window opens

    The six-month observation period for the first SOC 2 Type II report begins. Evidence captured continuously via the controls-monitoring platform. Independent CPA firm (AICPA PCAOB-registered) engaged Q4 2026.
  2. Q3 2027Planned

    SOC 2 Type II report issued

    First Type II report covering the five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Report made available to counterparties under NDA.
  3. Q1 2028Planned

    SOC 2 Type II · year-two observation opens

    Annual re-observation begins. Scope expanded to cover production ORCH, Terminal, Market, and Attest modules.
  4. Q3 2028Planned

    ISO/IEC 27001 certification

    Stage 2 audit complete. Certificate issued by an accredited registrar. ISMS operating across the enterprise.
  5. Q2 2029Planned

    ISO/IEC 27017 and 27018 alignment

    Cloud-security and cloud-privacy extensions to the ISMS. PCI DSS scoping review for any card-payment surfaces.

Penetration testing

Tested adversarially. Twice a year.

  • 01

    External penetration test

    Semi-annual, conducted by an independent security firm with CREST- or OSCP-credentialed testers. Scope includes externally exposed services, authenticated application flows, and supply-chain surfaces.
  • 02

    Internal red team

    Quarterly internal exercises targeting credential theft paths, identity abuses, and assumed-breach scenarios. Executive tabletop every six months to test incident response.
  • 03

    Bug bounty · private

    A private bug bounty program is running in 2026 with a curated set of testers. Public expansion tracks the SOC 2 Type II milestone.
  • 04

    Cryptography review

    Annual independent review of cryptographic primitives, key management, and BLS/Ed25519/Dilithium3 parameter choices by a specialised firm. Findings feed the cryptography ADR set.
  • 05

    Dependency scanning

    Continuous pnpm audit, cargo audit, pip-audit, and govulncheck across every workspace. HIGH or CRITICAL blocks merge. License policy enforced in CI.
  • 06

    Secure development lifecycle

    Threat modelling at design time, security review on every change that touches identity or crypto, pre-commit secret-scanning, and mandatory CODEOWNER review on security-sensitive paths.

Documents available

What's in the trust-center packet.

Trust packet · under NDA

SIG Lite questionnaire
Shared Assessments SIG Lite, version 2025 · refreshed annually

The standard industry vendor questionnaire; our completed version is available to counterparties under NDA.

CAIQ v4 response
Cloud Security Alliance Consensus Assessments Initiative Questionnaire v4

Aligned with the Cloud Controls Matrix (CCM) v4.0.

SOC 2 Type II report
Available post Q3 2027

SSAE 18-compliant; issued by an independent CPA firm.

Pen-test summary
Executive summary of the most recent external test

Full report available to regulators and certain counterparties on request.

BCP / DR plan summary
Business continuity plan and disaster recovery objectives (RTO / RPO)

Exercised annually with documented results.

Data Processing Addendum
GDPR- and UK-DPA-compliant DPA template

Includes Standard Contractual Clauses for international transfers.

Information security policy
Board-approved information security policy set

Covers access control, change management, incident response, cryptography, and supplier security.

Subprocessors list
Current subprocessors with category, jurisdiction, and transfer mechanism

Also published at /legal/subprocessors.

Common questions

What counterparty diligence teams ask.

Request the packet

Start a vendor-diligence engagement.

The trust-center packet is made available to prospective clearing members, institutional counterparties, regulatory reviewers, and auditors under NDA. Typical turnaround inside two business days.

Request under NDARead the data protection practice