Security
This article covers how sign-in works, how to enable 2-factor authentication, the security measures behind the platform, where your data is stored, and how Wayfront supports GDPR compliance.
Signing In
Signing in with a magic link
Magic link sign-in is available to clients only. Admins and internal team members need to use a password.
By default, signing in works with magic links. Enter your email address and a one-time sign-in link is sent to your inbox, no password needed. Magic links expire after 1 hour and are single-use only.
Important: Magic links cannot be used with two-factor authentication. If you have 2FA enabled, you'll need to use your password to sign in.
If the email doesn't arrive, check your spam folder and verify your email delivery in Settings.
Signing in with email and password
Users who have set a password can enter their email and password to access their account instead of using magic links.
Resetting your password
If you forget your password, click Forgot password? on the sign-in page. The reset link takes you to a form where you can set a new password. Your password must be at least 8 characters long. If your reset link has expired, request a new one from the sign-in page.
Client sign-up
When enabled, new clients can register by providing email, first name, last name, and a password. After registration, they are automatically logged in.
2-Factor Authentication
Your Wayfront account can and should be secured with 2-factor authentication. To get started, click on your profile icon in the top right corner, select Your Profile, and click the Enable 2FA button next to your password.
Confirm that you want to enable 2FA in the pop-up dialogue.
A QR code will appear. Open your authenticator app (we recommend Tofu for iOS or FreeOTP for Android and iOS), scan the QR code, then enter the 6-digit code it generates and click Enable 2FA. Most password managers can also scan the QR code.
Once set up, click the new Manage 2FA button that appeared in place of Enable 2FA. Click Show recovery codes and copy them to a safe place (such as the notes section in your password manager). Recovery codes let you regain access to your account if you ever lose your authenticator device.
Log out of your account and log back in to test the 2FA setup.
Note: If you log in via magic link, you'll need to set a password before you can enable 2FA.
Platform Security
SSL Secure Connection
Workspaces are accessible via secure HTTPS links (e.g., https://example.wayfront.com). We also issue a trusted SSL certificate for each custom domain at no additional charge.
Cloud Infrastructure
We outsource infrastructure hosting to Amazon Web Services (AWS) as it provides high levels of physical and network security, as well as scalability, backups, and redundancy.
Monitoring And Redundancy
We keep a close eye on error logs and performance so any issues can be addressed immediately. Infrastructure components feature multiple levels of redundancy and automatic failovers, with uptime records available on our status page.
Isolated Customer Databases
When you sign up for Wayfront you get your own dedicated database, which minimizes the chances of accidental data leaks between accounts.
Data Encryption
Customer databases are encrypted at rest and in transit. The system also encrypts sensitive data like API keys. Access to production systems follows strict procedures, and passwords are never stored in plaintext and are not readable by staff.
Secure Development Practices
We rely on proven frameworks to protect against a wide variety of attacks including SQLi, XSS, SSRF, and CSRF, and we ship frequent software updates and security patches.
Security Audits
We work with an ISO 27001 certified auditing company to run periodic security tests on the application and infrastructure.
Data Storage
We process customer personal data to provide our services and for other specified purposes described in our Privacy Policy and Terms of Service.
Service features require that data be transferred to the US, and data is not guaranteed to stay within a certain geographical location such as the European Union. Our servers and databases run on Amazon Web Services in the United States N. Virginia region.
We also rely on a small number of third-party services:
- Amazon SES for email notifications (order messages, new tickets, receipts).
- Sentry for logging and error reporting.
- Stripe for processing your payments to us. You have more options when it comes to charging your own clients.
- Google Analytics and a Facebook pixel on our marketing website. The Facebook pixel can be opted out of.
- ActiveCampaign for our product updates and onboarding emails.
Who Can Access My Data?
To provide technical support, our team can access some parts of your account. This access is secured and monitored according to our security policies.
External contractors and developers work in staging environments only and do not have access to customer data.
GDPR
If you're in the European Union (or selling to EU customers) you probably want to follow GDPR regulations. Here's how we help with that.
Email opt-in
After integrating an email marketing platform like ActiveCampaign or MailChimp, you can add an opt-in field to your order forms and signup pages. Only users who explicitly check the box will be subscribed in your email marketing system.
Data export and deletion
EU-based customers receive supplementary profile capabilities for data export and deletion. Export requests generate an email containing a download link for customer data in JSON format. Deletion requests go to workspace administrators with access to the user's account for review and removal.
Deleting customer accounts does not remove their invoices, as those need to be kept for accounting purposes.