Book a Call
verified_user Trust Center

How we earn your trust —
continuously, not annually.

You’re asking us to protect your Microsoft 365 tenant, your compliance posture, and your audit evidence. This page shows exactly how we hold ourselves to the same standard we hold your environment to — the attestations we carry, the baseline we run on ourselves, and the upstream certifications we inherit.

radar Run a Baseline Scan on Your Tenant description Request Security Questionnaire
update Last reviewed: Apr 16, 2026
All systems operational

Our attestations and commitments

Independent programs we’ve enrolled in or publicly self-attested to. Each badge below links to the issuing authority so you can verify directly — we don’t ask you to take our word for it.

workspace_premium
Verified

Microsoft Cloud Partner

Registered partner in the Microsoft Cloud Partner Program. Listed in Microsoft’s partner directory with Solutions Partner designations in progress.

Verify at partner.microsoft.com open_in_new
shield_lock
Enrolling · May 2026

CISA Secure by Design Pledge

Voluntary pledge to CISA’s secure-by-default principles — MFA-by-default, least privilege, and transparent vulnerability disclosure.

cisa.gov/securebydesign open_in_new
school
Enrolling · May 2026

Cyber Readiness Certified

Cyber Readiness Institute’s structured program covering identity, device, data protection, and supply chain hygiene.

cyberreadinessinstitute.org open_in_new
account_tree
Self-attested · Apr 2026

NIST Cybersecurity Framework

Public self-attestation mapping Waypoint’s internal controls to the NIST CSF functions — identify, protect, detect, respond, recover.

nist.gov/cyberframework open_in_new
info

Honesty note: We don’t list certifications we don’t hold. SOC 2 and ISO 27001 are on our roadmap — we’ll publish them here when they’re real, not before.

We run WaypointX on ourselves

The baseline we deploy for clients is the baseline enforced on our own Microsoft 365 tenant. Drift is monitored continuously across all six coverage domains — the same dashboard view our clients see on their tenants.

Live from our WaypointX dashboard · wpta.io tenant
badge

Identity & Access

MFA enforced · 0 drift events

PASS
mail_lock

M365 Email Baseline

DMARC · DKIM · SPF enforced

PASS
encrypted

Data Protection

Sensitivity labels · DLP active

PASS
devices

Device Compliance

Intune enforced · BitLocker on

PASS
monitoring

Threat Monitoring

Secure Score tracked weekly

PASS
rule_folder

Framework Mapping

SOC 2 · ISO 27001 · NIST CSF

PASS
Current Secure Score: 94%
Last scan: 6 minutes ago
Drift events (30d): 0

If anything on our tenant ever goes amber or red, it shows up here within 24 hours. We don’t hide behind static badges — continuous verification is the whole point.

Upstream trust — the certifications we inherit

Client data is processed and stored inside Microsoft 365 — in your own tenant, not ours. As a downstream processor, we inherit Microsoft’s enterprise certifications. You can verify any of these directly at the Microsoft Service Trust Portal.

verified

SOC 2 Type II

Microsoft 365 & Azure

verified

ISO 27001

Microsoft 365 & Azure

verified

FedRAMP High

Microsoft 365 GCC

verified

HIPAA BAA

Microsoft 365

How we handle your data

location_on

Data residency

Your data stays in your own Microsoft 365 tenant. We access it via delegated Graph SDK permissions — never replicated, never stored outside your environment.

key

Least privilege access

Scoped Graph SDK permissions reviewed quarterly. No Global Admin rights unless explicitly granted for a defined deployment window — then revoked.

emergency

Incident response

72-hour breach notification to all affected clients. Documented runbook, tested annually. Direct escalation to miguel.e@wpta.io or security@wpta.io.

visibility

Internal access & audit

Every staff action against a client tenant is logged to the Microsoft Unified Audit Log. You can request your tenant’s full Waypoint access log at any time.

Subprocessors

The short list of third parties that may process client data on our behalf. If this list changes, we update this page and notify active clients before the change takes effect.

SubprocessorPurposeData processedRegion
MicrosoftM365 & Azure hostingAll client dataUnited States
AnthropicaICISO AI briefings (opt-in)Risk metadata, no PIIUnited States

Full subprocessor disclosure, including audit reports, available under NDA on request.

Documents & policies

description

WaypointX Security Whitepaper

Baseline architecture & controls

PDF ↓
policy

Privacy Policy

How we collect & use data

Web →
handshake

Mutual NDA (blank)

Fill in, sign, return

PDF ↓
gavel

Data Processing Addendum

CCPA & GDPR ready

PDF ↓
fact_check

Security Questionnaire (SIG Lite)

Pre-filled, updated quarterly

On request
account_tree

NIST CSF Self-Attestation

Mapped to WaypointX domains

PDF ↓

Security contact & disclosure

flag

Found something? Tell us.

If you believe you’ve discovered a security vulnerability in any Waypoint Tech Advisors product or service, please email security@wpta.io. We respond within one business day and credit responsible disclosure in our release notes.

For non-security inquiries: miguel.e@wpta.io · Booking: outlook.office.com/book/InitialConversation

See the same baseline running on your tenant.

We’ll run WaypointX against your Microsoft 365 environment — 30-minute scan, no obligation, complete written findings.

Book Baseline Scan