Security is not an afterthought

Security at Wauldo

Your documents contain sensitive data. We treat every layer of our stack — from network to query response — as a security boundary.

59/59

Findings addressed

Audit sessions

Known vulnerabilities

100%

Responses audited

Infrastructure

TLS encryption on all connections

All data in transit is encrypted end-to-end

SOC 2 compliant infrastructure

Hosted on Fly.io with enterprise-grade physical security

Redis fail-closed architecture

Service failures deny access by default, never fail open

Rate limiting and brute-force protection

Per-IP throttling with automatic blocking on abuse

Data Isolation

TenantId newtype enforcement

Multi-tenant architecture with compile-time tenant ID validation

Tenant-scoped BM25 retrieval

Documents are filtered by tenant before scoring — zero cross-tenant leakage

Tenant-scoped cache

Cache keys include tenant ID — no cross-tenant cache pollution

Per-tenant collection management

Each tenant's documents are isolated in dedicated collections

API Security

JWT authentication

Configurable expiry with RapidAPI key validation

Request body limit 10MB

Prevents oversized payload abuse

Embedding dimensions clamped [1, 4096]

Anti-DoS protection against memory exhaustion attacks

Streaming response cap 256KB

Prevents unbounded memory allocation on streaming endpoints

Anonymous quota per-IP

Individual rate limiting per IP address, not a shared bucket

LLM Security

Generic error messages only

Raw LLM errors are never exposed to clients

Reasoning trace removal

strip_thinking() removes internal reasoning from all response paths

Prompt sanitization

Compiled regex patterns cached in OnceLock for hot-path safety

Tool result injection cap 8,000 chars

Prevents context overflow from tool outputs

Non-retriable error fail-fast

Auth errors (401/403) fail immediately without fallback attempts

Circuit breaker: 5 failures / 30s recovery

Automatic provider isolation on repeated failures

Audit & Compliance

59/59 findings addressed

Across 4 comprehensive security audit sessions

Full audit trail on every response

Model, latency, confidence score, retrieval path — every query is traceable

Prometheus metrics

Real-time monitoring with auth-protected /metrics endpoint

Low-confidence query logging

Capped at 10MB to prevent disk exhaustion

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly. We value the security community and will work with you to address any issues.

security@wauldo.com

We take every security report seriously and will acknowledge receipt within 48 hours. We will work with you to understand the issue and coordinate disclosure.

Questions about security?

We're happy to discuss our security practices, provide additional details, or address any concerns you may have.