Security
Security at EchoWave
Your videos, audio, and personal data are encrypted in transit, hosted on certified cloud infrastructure, and handled under GDPR and CCPA. This page explains how that works in practice.
- TLS encryption in transit
- Passwords hashed with scrypt
- Two-factor authentication
- GDPR & CCPA aligned
- Responsible disclosure policy
Trusted infrastructure
Built on platforms you already trust
Payments, identity, hosting, and storage all run on independently audited platforms that protect millions of businesses. We would rather rely on their security teams than improvise our own.
Stripe
Payment processing
Every payment is processed by Stripe, a PCI DSS Level 1 certified provider. That is the highest level of payment security certification. Your card details go straight to Stripe and never touch EchoWave’s servers.
PCI DSS Level 1
Google Cloud
Application & database hosting
Our application and databases run on Google Cloud, where data is encrypted at rest by default on infrastructure independently certified against standards like ISO 27001 and SOC 2.
ISO 27001 · SOC 2 infrastructure
Firebase Authentication
Sign-in & identity
Accounts are secured by Firebase Authentication, Google’s identity platform. Passwords are hashed with a hardened scrypt algorithm and never stored in plain text. Two-factor authentication is supported.
Google identity platform
Cloudflare
Edge network & DDoS protection
Traffic to echowave.io flows through Cloudflare’s global edge network, adding TLS encryption, a web application firewall, and always-on DDoS mitigation in front of every request.
Global edge security
Backblaze B2
Media storage
Your uploaded media is stored in Backblaze B2 cloud storage, engineered for 99.999999999% (eleven nines) data durability, so your source files stay safe and recoverable.
Eleven-nines durability
Certifications shown belong to the named providers and describe the platforms EchoWave is built on.
Our practices
How we protect your account and content
Encryption in transit
Every connection between your device and our servers is encrypted with TLS, so your projects and media are protected on the way in and on the way out.
Account security
Two-factor authentication is supported on all accounts, and single sign-on (SSO) is available for teams on request. Passwords are only ever stored as scrypt hashes.
Least-privilege access
Access to production data is restricted by role. The product has admin, editor, and viewer roles, and internal staff access is limited to authorised personnel.
Monitoring & audits
We run regular security audits and automated scanning across our deployments, dependencies, and binaries, with alerts the moment a new vulnerability is disclosed.
Incident response
We monitor for suspicious activity and maintain a tested incident-response and data-recovery plan. If a breach ever affects you, we will notify you and the relevant authorities promptly.
Continuous updates & training
Our software and infrastructure are patched regularly, and every team member receives ongoing security training on current threats and best practices.
Compliant by design
You stay in control of your data. You can view, export, and delete it yourself from the account page in the app.
GDPR
We process personal data in line with the EU General Data Protection Regulation. You can export or delete your data yourself, any time, from your account page in the app.
CCPA
We honour the privacy rights of California residents under the California Consumer Privacy Act.
security.txt
We publish a signed RFC 9116 security.txt with a public PGP key, so researchers always know how to reach us.
Responsible disclosure
Found a vulnerability? Tell us.
We welcome reports from security researchers. Our security.txt includes a PGP key for encrypted reports, and verified reporters are eligible for recognition in our hall of fame.
EchoWave is operated by Lemon Vault LLC, registered in the United States. We aim to respond to security reports within 24 business hours.
EchoWave Security FAQ
How is my data protected while using EchoWave.io?
Your data is encrypted in transit with TLS, and our hosting providers encrypt stored data at rest. Access is restricted by role, and we run regular security audits with automated vulnerability scanning across our deployments and dependencies. You stay in control: managing and deleting your data is self-service from your account page.
Where is my data stored?
EchoWave runs on Google Cloud Platform, and uploaded media is stored in Backblaze B2 cloud storage. Both platforms encrypt data at rest and operate independently audited, certified data centres.
Is my payment information safe?
Yes. All payments are processed by Stripe, a PCI DSS Level 1 certified payment provider. That is the highest level of payment security certification. Your card details are sent directly to Stripe and are never stored on EchoWave's servers.
How can users improve the security of their EchoWave.io accounts?
Enable two-factor authentication (2FA), use a strong, unique password generated by a password manager, and keep the email account attached to your EchoWave account secure.
Can I delete my data?
Yes. You can delete projects and media inside the editor whenever you like, and you can delete your whole account with all its personal data yourself from your account page. For GDPR and CCPA data export requests, email hello@echowave.io.
How can I report a security vulnerability or issue?
Check our security.txt file, which includes our contact address and a PGP key for encrypted reports. Our team reviews every report promptly, and verified reporters are eligible for recognition in our hall of fame.
What should I do if I suspect a security issue with my account?
Contact our support team immediately at hello@echowave.io. We will investigate, secure your account, and walk you through any steps needed. We aim to respond within 24 business hours.
