Security and compliance.

Waqt is built to meet the security expectations of government procurement teams. This page documents the controls and safeguards in place. If you need additional documentation for a specific review, contact us directly.

Security inquiries: contact us

Microsoft Entra ID SSO
AES-256 at rest
TLS 1.2+ in transit
U.S. data residency
HIPAA-aligned
WCAG 2.1 AA
Full audit logs

Identity and access management

Microsoft Entra ID single sign-on: Waqt authenticates users through your agency's Microsoft Entra ID (formerly Azure Active Directory) tenant. Users log in with their existing government credentials — no separate Waqt password to manage or rotate.
Multi-factor authentication: MFA is enforced by your Entra ID tenant configuration and honored by Waqt. Waqt does not bypass or override your MFA policies.
Session timeout: Sessions expire after approximately 15 minutes of inactivity. This timeout is configurable to your agency's standards.
Role-based access control: Five built-in roles implement minimum-access by default. Roles are managed in-app. No user has more access than their role requires.

Encryption

Encryption at rest: All stored data — including appointment records, documents, and audit logs — is encrypted using AES-256.
Encryption in transit: All data in transit between clients and Waqt infrastructure is protected by TLS 1.2 or higher. Older, weaker protocols are not supported.

Data residency

U.S.-only data storage: All data is stored in U.S.-resident cloud infrastructure (AWS, Google Cloud, or Azure U.S. regions). Waqt does not use offshore storage or processing.
Deployment options: Waqt is available as vendor-hosted SaaS or as a customer-hosted deployment in your agency's cloud environment. Contact us to discuss your procurement requirements.

HIPAA-aligned safeguards

Administrative safeguards: Documented policies and procedures for information access management, workforce training, and incident response — aligned with HIPAA Administrative Safeguard requirements.
Physical safeguards: Physical access controls applied to the facilities and hardware that host Waqt infrastructure, consistent with HIPAA Physical Safeguard requirements.
Technical safeguards: Access controls, audit controls, integrity controls, and transmission security — aligned with HIPAA Technical Safeguard requirements.
Business Associate Agreement: A Business Associate Agreement (BAA) is available on request for agencies with HIPAA obligations. Note: Waqt is not 'HIPAA certified' — no such government certification exists.

Accessibility

WCAG 2.1 Level AA: Waqt's public-facing interfaces and scheduling application are designed to conform with WCAG 2.1 Level AA. Conformance documentation is available to agencies upon request.
Keyboard navigation: All primary workflows are navigable by keyboard. No functionality requires a pointing device.
Screen reader support: Semantic HTML and ARIA attributes are used throughout the application to support screen readers and other assistive technologies.

Audit logging

Comprehensive event logging: Every meaningful action in the system is logged: appointment creation, modification, cancellation, document uploads and downloads, user login, role changes, and administrative overrides.
Log structure: Each log entry captures: timestamp, actor (user identity), action (create / update / delete / approve), target entity (appointment ID, document ID, etc.), and success or failure.
Deletion logging: Deletions are logged with the identity of the user who performed the deletion. Deleted records remain in the audit trail.

Certifications and frameworks

SOC 2 alignment: Waqt's controls are aligned with SOC 2 Trust Services Criteria principles (Security, Availability, Confidentiality). Formal SOC 2 certification has not been completed; it is available to pursue as your agency's requirements require.
ISO 27001 alignment: Information security management practices are aligned with ISO 27001 principles. Formal ISO 27001 certification has not been completed.

A note on certifications

Waqt is not currently SOC 2 Type II or ISO 27001 certified. Our controls are aligned with both frameworks, and formal certification is available to pursue as customer requirements demand. We do not claim certifications we have not completed. If a specific certification is required for your procurement, please contact us to discuss a timeline.

Need documentation for a security review?

We can provide additional information, answer questionnaires, and work with your IT and security teams directly.