How Wayfound Protects Your Family's Data
Last updated: April 24, 2026
You're trusting Wayfound with your child's most sensitive information — their diagnosis, medical records, therapy details, and service authorizations. We take that trust seriously. Here's exactly how we protect it.
1. Data Isolation
Your family's data is completely isolated from every other family. When you upload your child's IEP, no other parent can see it — not through search, not through the AI navigator, not through any system query. This is enforced at the database level with row-level security policies, not just application code. Even if our application had a bug, the database itself would block unauthorized access.
2. Encryption
Everything is encrypted:
- In transit: All data between your browser and our servers is encrypted with TLS 1.2+ (the same standard your bank uses).
- At rest: Your documents, profile, and conversation history are encrypted on our database servers and file storage.
- AI processing: When we send your document to our AI for analysis, that transmission is also encrypted. Your data is not used to train AI models.
3. Access Logging
Every time someone accesses your family's documents — including our own team — it's logged. We record what was accessed, when, and by whom. If you ever want to know who has seen your child's records, we can tell you.
4. What We Don't Do
- We don't sell your data. Ever. To anyone.
- We don't use your family's information to train AI models.
- We don't share your data with government agencies, schools, or service providers unless you explicitly ask us to (like generating an email to your child's school).
- We don't store your data longer than you want. Delete your account and everything goes — database records, uploaded files, AI-generated analysis, and search index entries.
- We don't track you with third-party analytics cookies.
- We don't ask about immigration status for security purposes. Our immigration-aware features exist to help you, not to report you.
5. Authentication
Your account is protected by Clerk, an enterprise-grade authentication provider. Features include:
- Secure password hashing (your password is never stored in plain text)
- Session management with automatic expiration
- Rate limiting on login attempts to prevent brute force attacks
6. Infrastructure
Wayfound runs on infrastructure trusted by thousands of companies:
- Database: Supabase (PostgreSQL with encryption at rest, SOC 2 Type II compliant)
- Hosting: Vercel (SOC 2 Type II compliant, HTTPS-only)
- Authentication: Clerk (SOC 2 Type II compliant)
- AI: Anthropic (your data is not used for model training)
- Search: Pinecone (SOC 2 Type II compliant, encrypted at rest)
- Email: Resend (encrypted transmission)
All vendors are US-based with data stored in US regions.
7. Application Security
Our application is hardened against common attacks:
- Input validation on every form and API endpoint
- Protection against cross-site scripting (XSS), cross-site request forgery (CSRF), and injection attacks
- Security headers enforced on every response
- Bot protection to prevent automated abuse
- Rate limiting to prevent API abuse
- AI prompt injection defenses to prevent manipulation of our knowledge system
8. What We're Working Toward
We're actively pursuing HIPAA compliance. Our technical infrastructure meets HIPAA security requirements. We're in the process of completing the organizational and vendor agreement requirements. We'll update this page when that process is complete.
Built by parents, for parents. We have a child with autism. Every security decision we make, we ask ourselves: “Would we trust this with our own son's records?” If the answer is no, we don't ship it.