Most outbound tools are built around a 200M-contact database. That's a huge compliance, deliverability, and brand-risk surface. The Demand Graph is built around public conversation URLs — a fundamentally narrower surface, and the reason Wavly can ship features that contact-DB tools can't without a legal review.
Wavly's source of truth is the public post URL — Reddit thread, HN comment, Stack Exchange question. We do not maintain a contact database, do not buy or scrape PII, and do not enrich identities. The compliance surface of the entire product is dramatically narrower than a contact-DB-based outbound tool.
Every Postgres table that holds tenant data is protected by Supabase Row-Level Security. A signed-in user can only read or write rows their JWT authorizes. RLS is enforced at the database, not in application code — so a bug in the API layer cannot leak data across tenants.
Conversion ingest accepts an optional X-Wavly-Signature HMAC header. When you set a webhook signing secret on a campaign, every payload is verified in constant time before we touch the database. Idempotency keys de-duplicate replays — you can safely retry from anywhere in your stack.
The conversion_ingest_log table records every webhook delivery attempt — successes, validation failures, signature mismatches, and rate-limit denials — with IP, user-agent, latency, and a payload excerpt. Pruned on a schedule; retained long enough to investigate incidents.
App tier on Vercel's edge runtime; data tier on managed Supabase Postgres with point-in-time backups. No self-hosted secrets, no custom auth — we lean on the same platforms that power the operator console you're using.
Every reply Scout drafts is intended for a public thread the asker chose to post in. There is no inbox, no DM blast, no spam vector. This dramatically reduces both deliverability risk and the chance you ever damage your brand by appearing in someone's spam folder.
Email hello@thewavly.com — small team, fast turnaround, plain answers.