Built on the standards your legal team already requires
We take compliance seriously because our customers' counsel does. This page is the durable, public record of how Waive operates — frameworks, licensing, methodology, and security.
What we operate under
HIPAA
All systems handling protected health information (PHI) are operated under a HIPAA-compliant security and privacy program. PHI is encrypted in transit and at rest, access is restricted by role and audited continuously, and Business Associate Agreements (BAAs) are executed with every downstream vendor that touches PHI. Workforce members receive annual HIPAA training and incident response procedures are tested at least annually.
SOC 2
Waive operates its production systems under controls aligned with SOC 2 Type II Trust Services Criteria for Security, Availability, and Confidentiality. A formal Type II attestation is in progress with an independent CPA firm. Bridge letters and the current control matrix are available to enterprise customers under NDA on request.
State TPA licensing
Waive Administrators, LLC holds third-party administrator (TPA) licenses, registrations, or equivalent authority in every state in which it administers plans. The current state-by-state status is published below in this page. Where Waive is not yet licensed in a particular state, plans cannot be administered for groups domiciled in that state until licensure is in place.
ERISA, COBRA, and ACA filings
Waive performs the administrative work required to keep employer plans compliant with ERISA, COBRA, and the Affordable Care Act, including Form 5500 preparation support, COBRA election notices and administration, ACA Forms 1094-C and 1095-C reporting, summaries of benefits and coverage (SBCs), and required participant notices. Plan sponsors remain the legal fiduciaries; Waive provides the operational backbone.
Stop-loss carrier partnerships
Level-funded plans administered by Waive are paired with specific and aggregate stop-loss insurance issued by independent A-rated carriers, including Berkley Accident & Health, Tokio Marine HCC, and HM Insurance Group, subject to availability and underwriting. Carrier selection depends on group size, state, and risk profile. Stop-loss policies are issued and underwritten by the named carrier, not by Waive.
Where Waive is licensed to administer plans
Status by state. Pending real licensing confirmation; this snapshot is updated as authority is granted or renewed.
How we calculate the 30% average savings claim
Waive publishes that employers save an average of 30% when they move from a legacy fully-insured carrier to a Trident level-funded plan. That number is not a marketing estimate — it is the median savings observed across our internal renewal analysis. This section describes how we get there, what is and isn't included, and the caveats every reader should hold in mind.
Sample. The figure is calculated from Waive's internal renewal database. Each data point is one employer group with at least one full plan year of fully-insured coverage immediately prior to moving to Trident, and at least one full plan year on Trident afterward. Groups under 5 enrolled employees and groups with mid-year carrier changes are excluded.
Comparison. For each group we compare the trailing fully-insured total premium (the amount the employer actually paid the carrier in the prior plan year, including admin, stop-loss-equivalent risk load, and member premium share where applicable) against the subsequent Trident total expected cost (administrative fee + stop-loss premium + maximum claims fund). We use expected cost rather than actual paid claims to remove year-over-year claims volatility from the comparison; if a group ran below the maximum claims fund, the unspent balance is treated separately as a potential year-end refund, not as a savings number, so that the 30% figure does not double-count.
Caveats. Individual results vary materially. Savings depend on group size, state, demographics, claims experience, plan design, prior carrier, network selection, and stop-loss attachment points. Smaller groups and groups with adverse selection may see less savings or, in some cases, no savings. Larger groups with cleaner risk profiles routinely see savings well above the 30% median. The 30% figure is a median across the sample, not a guarantee.
Update cadence. The methodology is reviewed quarterly and the figure is recomputed annually. When the recomputed figure changes by more than one percentage point, the public claim is updated. Auditable backup of the underlying calculation is available to enterprise customers and auditors under NDA on request.
How we protect the information we hold
All personal information and protected health information is encrypted in transit using TLS 1.2 or higher and encrypted at rest using AES-256. Production systems are hosted in SOC 2 Type II–certified infrastructure with network segmentation between PHI-handling environments and general business systems.
Access to personal information is restricted to authorized personnel based on documented job function (least-privilege role-based access control). Access logs are reviewed continuously and high-risk events are alerted in real time. All workforce access to production data requires multi-factor authentication.
We maintain a documented incident response plan with defined severity levels, notification timelines, and post-incident review procedures. Our security posture is validated by annual third-party penetration testing and continuous dependency vulnerability scanning, with findings tracked through remediation.
Talk to our compliance team
Have a security questionnaire, BAA request, or audit request? We respond within one business day.