Trust & security

Security for wafer data in transit and at rest.

Wafertune is a hosted cloud SaaS. Wafer map data is sensitive IP. Here's how we protect it.

Security controls

TLS 1.3 in transit

All API traffic uses TLS 1.3 minimum. Connections attempting older protocol versions are refused. Certificate pinning is available for Production tier customers who require it.

Encrypted storage

Wafer map data and classification results are encrypted at rest with AES-256. Storage keys are rotated quarterly. Data is stored in a single AWS region (us-west-2) and not replicated across regions unless explicitly requested.

API key RBAC

Access is controlled at the API key level with role-based scopes (classify / batch / read:patterns / manage). Keys can be scoped to specific teams. Key rotation is self-service via the management API.

90-day data retention

Submitted wafer map data is retained for 90 days on the Pilot tier, then deleted automatically. Production tier customers can configure retention from 30 to 365 days. No data is kept beyond the configured retention period.

SOC 2 controls design

Wafertune is designed with SOC 2 Type II controls in mind — access logging, change management, incident response procedures, and vendor risk management. Formal SOC 2 audit is planned for late 2026 as part of the company's compliance readiness roadmap.

Customer data isolation

Each customer's wafer data is stored in isolated storage partitions. Wafertune employees cannot access customer wafer map data except in the context of a logged, customer-requested support ticket. No customer data is used to improve the shared model without explicit written consent.

Deployment model

Wafertune is a hosted cloud SaaS. Wafer map data leaves your network when submitted to the API. This is different from on-prem analytics platforms that run inside your fab network.

For the phoenix-area specialty fabs that Wafertune targets — automotive-grade analog, BCD power, MEMS — this is typically acceptable because the data transmitted is wafer sort test data (die pass/fail maps), not device design IP or process recipes. The payload is a spatial map of test outcomes, not a mask set.

If your organization has specific data sovereignty requirements, our Production tier can support encryption-in-use options and customer-managed keys (BYOK). Contact us to discuss your requirements before committing to the Pilot tier.

Note on compliance language: Wafertune is designed with security controls in mind. We do not currently hold formal ISO 27001 certification or completed SOC 2 Type II audit. We are transparent about this — we are a seed-stage company with a roadmap toward formal certification.

Questions about our security posture?

Talk directly to Jonas. Seed-stage companies can move faster on security reviews than enterprise vendors.

Contact us