Aqua takes the security and privacy of its customers and data seriously. Through a variety of technical and process controls, we ensure the absolute strictest security policies.


Security Overview

Aqua Wave takes every effort to safeguard your data when using our product. Beginning with data storage, only the information required to use the product is collected and stored. Data is transmitted and stored in a secure, encrypted manner, and can only be accessed by authorized Aqua personnel on a need-to-know basis. Aqua Wave also undergoes an annual pentest and SOC 2 Type II certification process.


Aqua Wave is SOC 2 Type II certified and undergoes an annual recertification and pentest by an accredited third-party provider.

Data Collection

Aqua Wave only saves data that is necessary to deliver the product and feature set to end users. In the context of its features, this data includes:

  • User email address and hashed passwords
  • (If used) SAML configuration data for SSO login
  • IP addresses and user agents of users connecting to the SaaS interface or APIs
  • Cloud account read-only connection details
  • (For CSPM) Cloud account configuration metadata (but never the details of the contents within the cloud resources)
  • (For Image Scanning) the image vulnerability findings and image details

Payment Data

If you pay Aqua for a paid plan via credit card, the payment information is not saved, processed, or even seen by Aqua servers. Aqua uses Stripe, a third-party, PCI-compliant and accredited payment processor to handle all billing information.

Cloud Provider Usage

Aqua Wave is hosted in Amazon Web Services, and stores data in its us-east-1 (Northern Virginia) datacenter.

Cloud Account Connections

When connecting to your cloud accounts, Aqua Wave uses a third-party read-only role or application. This role provides visibility into the configuration of your cloud resources, but not the contents within them.

For some optional features (such as automated Remediations), Aqua will deploy an additional write-level role that is restricted to specific resources or API calls. You can read more about the security of this feature here.

Data Processing and Storage

All data that is collected from the cloud provider connection is encrypted at rest, when stored, and in transit at all phases of the transmission process (i.e. from user to API server, API server to database, etc.).

Data is encrypted at rest in all places it is stored (database, S3 buckets, etc).

Data Deletion

Data that is not required by Aqua Wave is disposed of quickly. For example, when performing cloud security scans, some API responses contain data that is not used by the scan. This is simply an artifact of how the cloud provider APIs work. Aqua processes the scan data, saves what is relevant to the scan, and permanently deletes the remaining data within 36 hours.

Logging and Auditing

Aqua Wave has extensive API and activity logging that records all activity within your account, by users, admins, or Aqua administrators. This data is saved for at least 365 days for auditing purposes.

Within your Aqua Wave account, you can also access audit logs for user activity and write-level activity performed by your users and API keys.