1. Access Control (NIST PR.AC)
| Control ID | Control Description | Implementation |
|---|---|---|
| AC-1.1 | Delegated Access Mandate | The Waycore platform requires customers to create a dedicated, limited-permission user account (“Delegate User”) within their own financial institution’s portal. The use of primary or administrator credentials is programmatically and contractually prohibited. |
| AC-1.2 | Credential Encryption | All Delegate User credentials are encrypted at rest using AES-256 and a dedicated, customer-specific key managed by our cloud provider’s Key Management Service (KMS). Raw credentials are never stored in plaintext and are not accessible by any human operator. |
| AC-1.3 | Role-Based Access Control (RBAC) | Customer administrators define roles and permissions for their own users within the Waycore platform. These roles determine which users can create, approve, and execute workflows. |
| AC-1.4 | Internal Access Control | Access to production systems by Waycore employees is restricted based on the principle of least privilege. Access requires multi-factor authentication (MFA) and is logged and audited. Direct access to customer data is prohibited for all employees except a small, designated team of on-call engineers for emergency break-fix scenarios. |
2. Human-in-the-Loop (HITL) and Approval Workflows (NIST PR.IP)
| Control ID | Control Description | Implementation |
|---|---|---|
| IP-2.1 | Human Supervision of Automated Sessions | All automated sessions are supervised by trained human agents. Agents have the ability to monitor, pause, and terminate any session at any time. |
| IP-2.2 | Automated Escalation Rules | The automation platform is configured to automatically pause and escalate to a human agent for review and approval under predefined conditions, including: (a) encountering a system error or unrecognized UI element; (b) before executing a high-risk action (e.g., payment initiation); or (c) if a data validation check fails. |
| IP-2.3 | Segregation of Duties | The roles of workflow creator, approver, and executor can be segregated within the Waycore platform to enforce separation of duties. A user who creates a workflow cannot approve their own workflow unless explicitly permitted by the customer’s configuration. |
| IP-2.4 | Multi-Step Approvals | The platform supports optional multi-step and multi-user approval workflows for high-risk or high-value transactions, as defined by the customer. |
3. Audit and Accountability (NIST DE.CM)
| Control ID | Control Description | Implementation |
|---|---|---|
| CM-3.1 | Immutable Audit Trail | All actions taken within the Waycore platform, including user logins, workflow creation, approvals, automated system actions, and human agent interventions, are logged to a tamper-evident, append-only audit trail. |
| CM-3.2 | Log Retention | Audit logs are retained for a minimum of 12 months. Log data is stored in an encrypted format and protected from unauthorized access or modification. |
| CM-3.3 | External Audit Trail | All actions performed by the Delegate User are logged within the financial institution’s own native audit trail, providing an independent, customer-accessible record of activity. |
| CM-3.4 | Log Review | Automated alerting is configured to detect and flag anomalous activity in the audit logs for review by our security team. A formal review of all high-risk events is conducted on a monthly basis. |
4. System and Services Acquisition (NIST ID.SC)
| Control ID | Control Description | Implementation |
|---|---|---|
| SC-4.1 | Third-Party Risk Management | All third-party subprocessors are subject to a formal risk assessment and due diligence process before being onboarded. We maintain a list of all subprocessors, which is available to customers upon request. |
| SC-4.2 | Secure Development Lifecycle (SDL) | Our software is developed in accordance with a formal SDL process, which includes mandatory security training for developers, static and dynamic code analysis, and regular vulnerability scanning. |