// Trust & Security Report

    Wave Financial Inc. logo

    Wave Financial Inc.

    Wave (waveapps.com) - free/paid small-business accounting, invoicing, receipt scanning, payments processing, and payroll, plus a human bookkeeping/tax add-on called Wave Advisors. Toronto-based; acquired by H&R Block in 2019 and now operated as an H&R Block subsidiary.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    PCI DSS (Level 1 Service Provider)
    HELD

    Wave is Level 1 PCI-DSS certified. This means that every year we have a third-party audit to validate our practices and make sure we're doing the right things for you and your customers.

    Verify on waveapps.com
    > Show 4 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence of a SOC 2 report on Wave Financial Inc.'s own domain (waveapps.com). Wave's 'Your Security' page describes encryption and PCI-DSS but makes no SOC 2 claim, and no trust-center portal (Vanta/SafeBase/Sprinto) exists for waveapps.com. Note: a different, unrelated company operating a meeting-transcription product also branded 'Wave' (wave.co) publishes a SOC 2 Type 1 attestation - that cert belongs to a separate corporate entity/product and does not apply to this vendor.

    source: waveapps.com
    ISO 27001
    NOT CONFIRMED

    No public evidence on waveapps.com. A third-party aggregator (Nudge Security) lists 'SOC 2 and ISO 27001' for 'Wave' without vendor-domain sourcing, and this appears to conflate the unrelated Wave-branded products (wave.co, Wave Connect/wavecnct.com, WAAVE) rather than Wave Financial Inc.'s accounting platform. Rejected as unverifiable.

    source: waveapps.com
    GDPR (formal posture/DPA)
    NOT CONFIRMED

    No public evidence of a Wave Financial Inc. GDPR statement or downloadable DPA could be confirmed. Wave's app-hosted privacy pages (my.waveapps.com/privacy) returned 403 Forbidden during verification, and a long-running Wave community thread ('Does anyone know how Wave is dealing with GDPR?') indicates the topic has historically gone unanswered by Wave staff. A DPA found via search belongs to 'Wave Solutions Ltd' (waveapp.co.uk), a distinct UK company, not Wave Financial Inc.

    source: waveapps.com
    HIPAA
    NOT CONFIRMED

    No public evidence; Wave's own Security page makes no HIPAA claim and the product is general small-business accounting/invoicing, not marketed for healthcare/PHI use. A third-party HIPAA-compliance checker states Wave is not HIPAA compliant and healthcare businesses are not supported.

    source: waveapps.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    Not publicly specified in the pages reviewed. Wave Financial Inc. is headquartered in Toronto, Canada (H&R Block subsidiary); no explicit data-residency statement was located.

    Wave discloses use of machine learning to auto-categorize financial transactions (a product feature), but no vendor statement was found confirming or denying whether customer financial data is used to train broader AI/ML models, and no opt-out mechanism is documented in the pages reviewed.

    // Security controls

    Encryption in transit

    All page loads and data uploads to Wave are encrypted in transit; mobile app-to-server communications are encrypted using security protocols.

    waveapps.com

    Password handling

    Passwords are encrypted when collected and when sent to Wave's servers; not stored unencrypted.

    waveapps.com

    Data storage / physical security

    Accounting data is stored on servers with strict physical access and technical controls; facilities are monitored 24/7 with strictly controlled access.

    waveapps.com

    Payment card security

    PCI DSS Level 1 service provider, with annual third-party audits.

    waveapps.com

    // Products & data scope

    Wave AccountingBookkeeping / accounting software

    data: Business financial transactions, bank/card connections, receipts

    Core free product; no dedicated compliance page beyond the general security statement.

    Wave Invoicing & EstimatesInvoicing / billing

    data: Customer contact and billing data

    Free tier plus paid add-ons.

    Wave PaymentsPayment processing (cards, bank transfer, Apple Pay)

    data: Cardholder and bank transfer data

    Scope of the PCI DSS Level 1 certification.

    Wave PayrollPayroll (US/Canada)

    data: Employee PII, SSN/SIN, bank details, wage data

    Recently integrated with payroll partner CheckHQ (privacy policy updated Jan 10, 2025 for this integration); highest-sensitivity data scope in the product family.

    Wave AdvisorsHuman bookkeeping/accounting/tax services

    data: Full financial records shared with in-house advisors

    Service layer on top of the core product, not a separate compliance surface.

    // What to watch

    • IDENTITY-CONFLATION RISK: 'Wave' is used by several unrelated companies/products - wave.co (AI meeting note-taker, SOC 2 Type 1 via Vanta), Wave Connect / wavecnct.com (digital business cards, SOC 2 Type 2 via Sprinto), WAAVE (trust.getwaave.com), Wave Solutions Ltd / waveapp.co.uk (UK company with its own DPA), and D-Wave Quantum. None of these certifications or DPAs belong to Wave Financial Inc. (waveapps.com), the vendor assessed here; they must not be attributed to this listing.
    • A third-party security-profile aggregator (Nudge Security) claims Wave is 'GDPR compliant' with 'SOC 2 and ISO 27001' but supplies no vendor-domain proof; this appears to blend the unrelated Wave-branded products above and was rejected as unverifiable.
    • No dedicated trust center or compliance portal exists on waveapps.com, unlike several sibling 'Wave'-branded products that use SafeBase/Vanta/Sprinto trust centers - increasing the risk of accidental cross-attribution.
    • App-hosted privacy pages (my.waveapps.com/privacy) returned 403 Forbidden during verification, so GDPR/DPA specifics and AI-training posture could not be fully confirmed from Wave's own full policy text.
    • Wave Payroll now integrates with third-party partner CheckHQ (privacy policy updated Jan 10, 2025); no independent compliance disclosure was located for this integration.

    // At a glance

    Pricing model

    Freemium: core accounting/invoicing free; paid transaction fees on Payments, subscription pricing for Payroll, and fee-based Advisors services

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Wave Financial Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    waveapps.com

    > Browse all vendor trust reports