Enterprise trust & procurement

Everything procurement and security need before they sign

The commercial, legal and security answers a due-diligence checklist asks for, gathered on one page. Where the full detail lives elsewhere on this site, we link straight to it. No sales gloss, no claims we cannot back.

At a glance 1 pagefor the whole vendor review

In one sentence

Wavect GmbH is an Austrian software company you can contract with under Austrian law, where you own all IP from day one, your data stays EU-resident by default, and a two-founder team plus vetted bench means work survives any single person leaving.

Straight answers on

  • Legal entity, contracting jurisdiction and IP ownership
  • Data-processing agreements, EU data residency and subprocessors
  • Access control, backup, incident handling and handover
  • Key-person continuity, support models and response times

What we will not pretend

  • We do not hold ISO 27001, SOC 2 or a formal security certification today
  • We do not offer a 24/7 network operations center or an uptime SLA
  • We are a small senior team, not a large managed-service vendor
// 01

The procurement checklist, answered

Each row gives you the short answer and a link to the page that documents it in full.

TopicWhere we standDocumented in
Legal entity & jurisdictionWavect GmbH, FN 575337 i, Landesgericht Innsbruck, UID ATU77948526, seated in Ampass, Tirol. Founded 2018 as Wavect e.U., a GmbH since 2022. Contracts default to Austrian law; we have also signed under German, Swiss, US and Singaporean law.Imprint & service agreement
IP ownershipYou own everything we build. Full IP transfer, no rights retained by us, code in your repository from day one.Service agreement
HandoverA complete handover is the default, not an upsell: code, credentials, documentation and runbooks transferred, with keys rotated to you.Handover checklist
Key-person continuityTwo founders on every engagement, plus a vetted specialist bench. We have handed work off cleanly dozens of times; the team is bigger than any one person.About the team
Use of external specialistsSpecialists join under our statement of work as subcontractors, vetted before they touch your project. One contract with us, one invoice, chain-of-processors confidentiality in place.Expert network
Hosting & data residencyEU hosting by default. Your data stays under EU and Austrian rules unless your project requires something else, which we confirm up front.EU data residency guide
GDPR & privacyGDPR and Austrian DSG compliant. Our data protection officer is Kevin Riedl. Legal bases, retention and third parties are set out in full.Privacy policy
Support & maintenanceMaintenance is optional, never baked in. Fixed price on a signed Werkvertrag, or a monthly retainer you can cancel weekly with no notice period.Fixed price vs time & materials
// 02

Subprocessors

The third parties that process data for wavect.io itself. For client projects, infrastructure and subprocessors are chosen per engagement and are EU-resident by default; we list them in that project’s data-processing agreement.

SubprocessorPurposeDataLocation
CloudflareStatic site hosting and CDN for wavect.ioRequest logs, IP addressesGlobal edge, EU data centers
UmamiCookieless website analyticsNo personal dataGermany (EU)
PostHog EUProduct analytics, session and funnel dataUsage eventsGermany (EU)
Zeeg (Zeeg GmbH)Call scheduling from the booking linksName, email, selected timeGermany (EU)

This list changes when our tooling changes. If you need advance notice of subprocessor changes for a signed engagement, we can add that to the contract.

// 03

Security & delivery posture

The topics a security questionnaire asks about that did not have a dedicated home elsewhere. These are honest statements of how a small senior team actually operates, not aspirational policy.

Data-processing agreement

We sign your data-processing agreement, or provide an Art. 28 GDPR agreement of our own that covers the full chain of subprocessors. Raise it on the first call and it is in place before any personal data is processed. For client builds, the DPA is part of the engagement paperwork, not an afterthought.

Access-control practices

We work inside the repositories and infrastructure you grant us, with access you can revoke at any time. Least privilege by default, per-project credentials, multi-factor authentication on our accounts, and no shared logins. At handover, every credential is rotated to you so nothing we held still opens a door.

Backup & recovery

For client projects, backup and disaster recovery are designed into the build: tested restores and documented runbooks, owned by you after handover so recovery never depends on us being reachable. For our own systems, source lives in version control and infrastructure is reproducible from code.

Incident handling

You get a named contact who stays reachable, not a ticket queue. Our job during an incident is to triage, communicate clearly and fix. We are honest about the ceiling: we do not run a 24/7 network operations center, and ongoing on-call response is what a retainer buys.

Documentation standards

Every build hands over an architecture overview, setup instructions, deploy and rollback steps, and runbooks. Documentation lives in your repository next to the code, so it stays with the software rather than in a tool you lose access to. The handover checklist is the full standard.

Certifications

We will be straight: Wavect does not currently hold ISO 27001 or SOC 2 certification. What stands in their place is structural, not a badge: a small senior team, your code in your repository from day one, a complete handover that removes lock-in, and a contract under Austrian law that binds us to what we agreed. If a specific certification is a hard procurement gate, tell us early and we will tell you plainly whether we can meet it rather than claiming we already do.

Service levels

We reply within four working hours, usually within one. Ongoing support runs on a retainer with a defined weekly commitment you can cancel without notice. We do not sell an uptime SLA: availability and reliability for delivered software are scoped per engagement, consistent with our service agreement , so we never promise a number we would not stand behind.

Procurement questions, answered plainly

Wavect GmbH, an Austrian company registered as FN 575337 i at the Landesgericht Innsbruck, UID ATU77948526, seated in Ampass, Tirol. Austrian law is the default, and we can sign under your standard master agreement. We have also contracted under German, Swiss, US and Singaporean law.
Yes, fully. All IP in what we build transfers to you, we retain no rights, and the code lives in your repository from the first commit. This is written into the service agreement, not just promised.
Yes. We sign your DPA or provide an Art. 28 GDPR agreement covering the full subprocessor chain. It is in place before any personal data is processed.
For wavect.io itself: Cloudflare for hosting, Umami and PostHog EU for analytics, and Zeeg for scheduling, all EU-resident. For client projects, subprocessors are chosen per engagement, EU-resident by default, and listed in that project’s DPA.
Work does not stop. Two founders sit on every engagement and a vetted bench backs them up, so knowledge is never held by one person. We have handed projects off cleanly dozens of times, and the handover discipline that makes that possible is the same one we use at the end of every build.
No, not today, and we will not claim otherwise. What protects you instead is structural: a small senior team, your code in your repository from day one, a complete handover that removes lock-in, and an Austrian-law contract that binds us to delivery. If a certification is a hard requirement for your procurement process, tell us early and we will be honest about whether we can meet it.
We reply within four working hours, usually within one. Ongoing support is a monthly retainer with a defined weekly commitment, cancellable without notice. We do not offer an uptime SLA; availability for delivered software is scoped per engagement so we never promise a number we cannot stand behind.
Last reviewed: byChristof Jori wiki ↗

Still have a question on the checklist?

Send us the clause that is holding up the review. You will get a straight answer from a founder, not a form letter.