// Trust & Security Report
Wave Financial Inc.
Wave (waveapps.com) - free/paid small-business accounting, invoicing, receipt scanning, payments processing, and payroll, plus a human bookkeeping/tax add-on called Wave Advisors. Toronto-based; acquired by H&R Block in 2019 and now operated as an H&R Block subsidiary.
Certifications held
1
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on waveapps.com“Wave is Level 1 PCI-DSS certified. This means that every year we have a third-party audit to validate our practices and make sure we're doing the right things for you and your customers.”
> Show 4 unconfirmed / not-held certifications
source: waveapps.comNo public evidence of a SOC 2 report on Wave Financial Inc.'s own domain (waveapps.com). Wave's 'Your Security' page describes encryption and PCI-DSS but makes no SOC 2 claim, and no trust-center portal (Vanta/SafeBase/Sprinto) exists for waveapps.com. Note: a different, unrelated company operating a meeting-transcription product also branded 'Wave' (wave.co) publishes a SOC 2 Type 1 attestation - that cert belongs to a separate corporate entity/product and does not apply to this vendor.
source: waveapps.comNo public evidence on waveapps.com. A third-party aggregator (Nudge Security) lists 'SOC 2 and ISO 27001' for 'Wave' without vendor-domain sourcing, and this appears to conflate the unrelated Wave-branded products (wave.co, Wave Connect/wavecnct.com, WAAVE) rather than Wave Financial Inc.'s accounting platform. Rejected as unverifiable.
source: waveapps.comNo public evidence of a Wave Financial Inc. GDPR statement or downloadable DPA could be confirmed. Wave's app-hosted privacy pages (my.waveapps.com/privacy) returned 403 Forbidden during verification, and a long-running Wave community thread ('Does anyone know how Wave is dealing with GDPR?') indicates the topic has historically gone unanswered by Wave staff. A DPA found via search belongs to 'Wave Solutions Ltd' (waveapp.co.uk), a distinct UK company, not Wave Financial Inc.
source: waveapps.comNo public evidence; Wave's own Security page makes no HIPAA claim and the product is general small-business accounting/invoicing, not marketed for healthcare/PHI use. A third-party HIPAA-compliance checker states Wave is not HIPAA compliant and healthcare businesses are not supported.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Not publicly specified in the pages reviewed. Wave Financial Inc. is headquartered in Toronto, Canada (H&R Block subsidiary); no explicit data-residency statement was located.
Wave discloses use of machine learning to auto-categorize financial transactions (a product feature), but no vendor statement was found confirming or denying whether customer financial data is used to train broader AI/ML models, and no opt-out mechanism is documented in the pages reviewed.
// Security controls
Encryption in transit
All page loads and data uploads to Wave are encrypted in transit; mobile app-to-server communications are encrypted using security protocols.
waveapps.comPassword handling
Passwords are encrypted when collected and when sent to Wave's servers; not stored unencrypted.
waveapps.comData storage / physical security
Accounting data is stored on servers with strict physical access and technical controls; facilities are monitored 24/7 with strictly controlled access.
waveapps.com// Products & data scope
data: Business financial transactions, bank/card connections, receipts
Core free product; no dedicated compliance page beyond the general security statement.
data: Customer contact and billing data
Free tier plus paid add-ons.
data: Cardholder and bank transfer data
Scope of the PCI DSS Level 1 certification.
data: Employee PII, SSN/SIN, bank details, wage data
Recently integrated with payroll partner CheckHQ (privacy policy updated Jan 10, 2025 for this integration); highest-sensitivity data scope in the product family.
data: Full financial records shared with in-house advisors
Service layer on top of the core product, not a separate compliance surface.
// What to watch
- IDENTITY-CONFLATION RISK: 'Wave' is used by several unrelated companies/products - wave.co (AI meeting note-taker, SOC 2 Type 1 via Vanta), Wave Connect / wavecnct.com (digital business cards, SOC 2 Type 2 via Sprinto), WAAVE (trust.getwaave.com), Wave Solutions Ltd / waveapp.co.uk (UK company with its own DPA), and D-Wave Quantum. None of these certifications or DPAs belong to Wave Financial Inc. (waveapps.com), the vendor assessed here; they must not be attributed to this listing.
- A third-party security-profile aggregator (Nudge Security) claims Wave is 'GDPR compliant' with 'SOC 2 and ISO 27001' but supplies no vendor-domain proof; this appears to blend the unrelated Wave-branded products above and was rejected as unverifiable.
- No dedicated trust center or compliance portal exists on waveapps.com, unlike several sibling 'Wave'-branded products that use SafeBase/Vanta/Sprinto trust centers - increasing the risk of accidental cross-attribution.
- App-hosted privacy pages (my.waveapps.com/privacy) returned 403 Forbidden during verification, so GDPR/DPA specifics and AI-training posture could not be fully confirmed from Wave's own full policy text.
- Wave Payroll now integrates with third-party partner CheckHQ (privacy policy updated Jan 10, 2025); no independent compliance disclosure was located for this integration.
// At a glance
Pricing model
Freemium: core accounting/invoicing free; paid transaction fees on Payments, subscription pricing for Payroll, and fee-based Advisors services
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Wave Financial Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
waveapps.com