Trust Center

Longwave helps Managed Service Providers manage AI usage and data loss risk across client environments. MSPs centrally define and enforce AI usage policies directly in the end-user's browser, with real-time protection and client reporting to guide AI adoption decisions.

This Trust Center describes how Longwave protects data, the security practices Longwave follows, and how to get in touch with questions.

Longwave uses an enterprise-managed browser agent that operates entirely within the browser sandbox. The agent inspects only traffic from a maintained allowlist of known AI applications (general web activity is not monitored). MSPs control what data is retained: full prompt content, metadata only, or limited analytics. By default, prompt content is not stored.

• Deployed by MSPs via existing MDM or RMM integrations
• Signed and hosted by Longwave, supported on Chrome, Edge, and Firefox
• Communicates exclusively over TLS 1.2+ with approved subprocessors

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Each tenant's data is logically isolated using unique identifiers and row-level security (RLS). No cross-tenant access is permitted.

• Upon termination or written request, all data and logs are deleted within 30 days
• Full data export available prior to deletion if requested
• Application logs retained for 30 days, access logs retained for 90 days

All platform access is authenticated through Microsoft Entra ID or Google Workspace.

• IdP security policies (including MFA, conditional access, and session controls) apply automatically
• Users can only view data associated with their authorized tenants

Longwave operates exclusively on SOC 2-certified cloud infrastructure and follows the same control standards, including MFA, encryption, access controls, logging, and vendor monitoring. Longwave is in the process of completing SOC 2 Type I certification, with Type II to follow.

• All infrastructure providers maintain SOC 2 certification
• Subprocessors: Vercel, Supabase, AWS

Security incidents are investigated promptly. Impacted partners are notified via email within 24 hours of verification with remediation steps and a post-incident report. Platform services can be restored from regularly scheduled backups with a Recovery Time Objective (RTO) of under 4 hours and a Recovery Point Objective (RPO) of near-zero.