Security
WAYSCloud is built with security at every layer — from network isolation and encryption to audit logging and access control. This page summarizes how we protect your data and services.
For our full security policy, certifications, and contact information, see wayscloud.eu/security.
Authentication
All API access is authenticated. WAYSCloud supports three authentication methods:
| Method | Use case | Format |
|---|---|---|
| Service API Key | Service-specific API access | wayscloud_{service}_{prefix}_{secret} |
| Personal Access Token (PAT) | Account management, CLI, cross-service | wayscloud_pat_{prefix}_{secret} |
| S3 Signature (AWS v4) | Object Storage access | Access key + secret key |
API keys are scoped to a single service. PATs support granular scopes (read, write, deploy, shell). Tokens are hashed (SHA-256) before storage — the plaintext is shown only once at creation.
See Authentication for implementation details.
Encryption
In transit:
- All API traffic over TLS 1.2+ (HTTPS enforced, no plaintext endpoints)
- WebSocket connections use WSS (TLS)
- Internal service-to-service communication over encrypted WireGuard tunnels
At rest:
- Enterprise-tier databases use encrypted storage
- Secrets (API keys, database credentials, tokens) stored in an encrypted secret manager
- Secret store uses auto-unseal with server-side encryption
Network isolation
- All backend services communicate over a private WireGuard mesh network
- No internal services are directly reachable from the public internet
- Database and storage nodes are on isolated network segments
- VPS instances receive dedicated public IPs with configurable firewall rules
- API gateway enforces rate limiting, request validation, and IP-based access control
Access control
- Scope-based permissions — API keys and PATs have explicit scope grants (e.g.,
vps:read,dns:write,shell:connect) - Service activation — Services must be explicitly activated per customer before use
- Soft delete — All deletable resources use
deleted_attimestamps for GDPR compliance and audit trail - Dangerous operation confirmation — CloudShell requires explicit confirmation tokens for destructive operations
Audit logging
Every mutation across the platform is logged:
- Who — Customer ID, user ID, PAT ID
- What — Action, resource type, resource ID
- When — Timestamp with millisecond precision
- Where — Source IP address, user agent
- Outcome — Success or failure with reason
Audit logs are append-only and cannot be modified or deleted. The enterprise audit system covers 250+ distinct action types across all services.
Secret management
- All secrets stored in a dedicated encrypted secret manager
- Application credentials use short-lived, dynamically issued tokens
- Database passwords are dynamically retrieved at runtime, never hardcoded
- API key secrets are shown once at creation, then only the hash and prefix are stored
- Console sessions use single-use tokens with short TTLs (90–120 seconds)
Threat protection
- IP Intelligence — Real-time IP threat scoring, geolocation, and reputation data
- DNS Shield — Anycast DNS with threat detection and query analytics
- Rate limiting — Per-customer and per-IP rate limits on all API endpoints
- Error sanitization — API error responses never include internal IPs, hostnames, stack traces, or provider information
Responsible disclosure
If you discover a security vulnerability, please report it to:
- Email: security@wayscloud.eu
- PGP: Available at wayscloud.eu/security
We follow coordinated disclosure practices and aim to acknowledge reports within 24 hours.