Trust Center

WAYSCloud publishes selected reports on security incidents, privacy matters, operational deviations, and regulatory interactions.

This Trust Center provides transparent, factual documentation of how we detect, handle, and resolve issues across the platform — including cases where no breach or customer impact occurred.

Not all events are reported. Reports are published where they provide meaningful insight into system behavior, risk, or operational handling.

We believe trust is built not only on successful operation, but on how issues are identified, addressed, and documented.

These reports are intended to provide insight into how the platform evolves, improves, and responds to real-world conditions.

This is not a real-time status page. For current service availability, see status.wayscloud.services.

Security Acknowledgements

View →

People and organizations who have responsibly reported issues and helped improve WAYSCloud and meil.no.

Published Reports

View all
WAYSCLOUD-TR-2026-0024|Security Report|mediumMonitoring

Automated registration attempts mitigated

On 2026-06-30, WAYSCloud detected a coordinated wave of automated registration attempts against the meil.no free tier. The activity targeted the creation of new accounts. We found no evidence that existing user accounts were compromised, no evidence that customer email contents were accessed, and no evidence of outbound email abuse from the accounts involved. The behaviour matched a known abuse model seen against reputable privacy-focused email and communication services: accounts are created in coordinated waves, kept quiet, accessed periodically to build apparent legitimacy, and later used for spam, fraud or other abuse if sending trust is granted too quickly. This was a coordinated and technically mature attempt. The actor used distributed residential network access, completed SMS verification and varied timing between steps, which made simple per-IP limits and basic anti-bot checks insufficient on their own. The accounts matching the abuse pattern were suspended, active sessions were revoked, and additional anti-abuse controls are being prioritised to protect the service, legitimate users and email delivery reputation.

Published Jun 30, 2026|Affected:meil.no
WAYSCLOUD-TR-2026-0023|Policy or Compliance Notice|informationalInformational

Updated 24/7 NOC contact number

Our Network Operations Center (NOC) has been assigned a new direct telephone number. This line is staffed 24/7 for infrastructure and security-related incidents. The new NOC number is +47 21 61 70 70. The number has changed as part of a planned migration to a new telephony platform and operator. There is no impact to service availability.

Published Jun 12, 2026
WAYSCLOUD-TR-2026-0022|Security Report|mediumResolved

Email Compliance isolation weakness discovered and remediated internally

During internal testing of our Email Compliance service, WAYSCloud discovered a tenant-isolation weakness that could, in principle, have allowed Email Compliance dashboard data from one account to be returned to another account. The issue was discovered internally before customer exposure, remediated the same day, and verified through end-to-end testing. No customer data was exposed.

Published Jun 7, 2026
WAYSCLOUD-TR-2026-0021|Security Report|lowResolved

Significant Increase in Malicious Traffic Successfully Mitigated

WAYSCloud detected and mitigated 406,171 attack attempts from 205,461 unique sources within a one-hour period, consistent with a coordinated, botnet-like distributed denial-of-service (DDoS) attack, followed by a renewed wave in the second hour. The exceptional traffic volume directed at our edge layer caused temporary degraded responsiveness in the customer dashboard and APIs. Traffic has since fallen considerably and services are returning to normal. There is no indication of any security breach, customer data exposure or infrastructure compromise, and underlying customer workloads remained unaffected.

Published Jun 3, 2026
WAYSCLOUD-TR-2026-0020|Responsible Disclosure|informationalAction Taken

Improved security for meil.no mail

Follow-up on Internet.nl findings for meil.no raised by Per Thorsheim. Score improved 73% to 83%; mail crypto hardened, RPKI/IPv6/IMAP items ongoing.

Published Jun 3, 2026|Affected:workspace
WAYSCLOUD-TR-2026-0019|Transparency Report|informationalInformational

Company status clarification: WAYSCloud AS

WAYSCloud AS is currently subject to a formal administrative corporate process following the resignation of the company's auditor in September 2025. The process was triggered by formal company-law requirements, not by a customer-data incident, platform shutdown or ordinary operational collapse. WAYSCloud remains operational. The platform currently operates **22 services across 20 countries**, covering infrastructure, security, communications and AI/compute. Infrastructure costs, monitoring, support and platform development continue as part of ordinary operations. We are in constructive dialogue with the estate administrator, who is also positively inclined toward a return of the company to ordinary operation. In parallel, WAYSCloud has started a strategic capital process targeting approximately **EUR 2 million** to stabilise the company, resolve outstanding formal matters and support commercial rollout.

Published May 27, 2026
WAYSCLOUD-TR-2026-0018|Security Report|lowResolved

Recovery email displayed as verified before verification was completed

A defect in the meil.no signup flow caused a secondary recovery email to be displayed as verified immediately after signup, without a verification mail being sent. The defect was reported by a customer, root-caused, and fully fixed within nine hours, with backfill verification mails sent to all 106 affected legacy users on the same day.

Published May 23, 2026|Affected:workspace
WAYSCLOUD-TR-2026-0017|Operational Deviation|lowResolved

App Service: Wake-from-idle env fix

App Service apps with idle-shutdown enabled could lose environment configuration after waking from idle. Resolved 10 May 2026.

Published May 10, 2026|Affected:app_platform
WAYSCLOUD-TR-2026-0016|Security Report|informationalResolved

Shared Hosting CVE-2026-41940 security review

Following public activity related to CVE-2026-41940 affecting WHM/cPanel environments, WAYSCloud reviewed its shared hosting infrastructure. The review confirmed that relevant systems had already been patched through automated vendor update handling before observed exploitation attempts. No compromise was identified.

Published May 10, 2026|Affected:hosting
WAYSCLOUD-TR-2026-0015|Operational Deviation|lowResolved

Custom-domain DNS verification fix

Internal review found the meil.no custom-domain ownership check could miss valid DNS records due to registrar case normalization. Fixed; no customer impact.

Published May 7, 2026|Affected:workspace
WAYSCLOUD-TR-2026-0014|Platform Improvement|informationalInformational

Email security hardening: DNSSEC, DANE, IPv6

WAYSCloud has completed a multi-step hardening of the internal email delivery layer used by the workspace platform, including DNSSEC, DANE/TLSA, and IPv6 support. These changes strengthen protection against tampering, downgrade attacks, and spoofing, and are externally verifiable. This work covered WAYSCloud's own platform mail infrastructure only. Customer-operated mail servers and customer-managed email systems were not in scope and were not affected.

Published Apr 27, 2026|Affected:workspace
WAYSCLOUD-TR-2026-0013|Operational Deviation|mediumResolved

App Platform interface alignment

Inconsistencies between CLI, API, and dashboard behavior were identified and resolved as part of internal validation of the App Platform.

Published Apr 17, 2026|Affected:apiconsoledashboardapp_platform
WAYSCLOUD-TR-2026-0012|Operational Deviation|highResolved

Database service degradation due to storage saturation

A storage saturation event on a database node caused degraded performance and temporary service disruption across multiple platform services. All services have been restored, and safeguards have been implemented to prevent recurrence.

Published Apr 14, 2026|Affected:databasestoragedns_shieldip_intel
WAYSCLOUD-TR-2026-0011|Platform Improvement|lowScheduled

Shared Hosting control panel migration to HestiaCP

WAYSCloud will migrate its Shared Hosting platform to a new control panel based on HestiaCP. This is part of our ongoing move toward open-source technologies across the platform, with no downtime expected for customer websites.

Published Apr 13, 2026|Affected:hosting
WAYSCLOUD-TR-2026-0010|Operational Deviation|mediumResolved

App Platform Deployment Issue

Deployment startup failures were not clearly surfaced in the dashboard, and the plan upgrade flow lacked a direct path. Resolved with improved error visibility.

Published Apr 10, 2026|Affected:app_platform
WAYSCLOUD-TR-2026-0009|Transparency Report|informationalInformational

WAYSCloud Sovereignty Report

Sovereignty architecture overview — platform control boundaries, dependency governance, jurisdictional alignment, and external dependency risk management.

Published Apr 10, 2026|Affected:identityapiconsolestoragedatabase
WAYSCLOUD-TR-2026-0008|Operational Deviation|lowResolved

VPS web console access issue and architecture improvement

The VPS web console experienced issues preventing browser-based access to virtual machines. The issue has been resolved with an improved, OS-independent console architecture.

Published Apr 5, 2026|Affected:vpsconsole
WAYSCLOUD-TR-2026-0007|Operational Deviation|mediumResolved

Database snapshot redundancy limitation

Off-site backup replication was temporarily limited within a subset of database infrastructure. Detected by monitoring and resolved.

Published Apr 4, 2026|Affected:dbaas
WAYSCLOUD-TR-2026-0006|Operational Deviation|mediumResolved

Dashboard translation inconsistency following deployment

A deployment caused parts of the customer dashboard to display raw translation keys instead of localized text. No data was affected.

Published Apr 3, 2026|Affected:dashboard
WAYSCLOUD-TR-2026-0005|Operational Deviation|mediumResolved

Redis provisioning: firewall allowlist not enforced on new instances

Firewall allowlist rules appeared configured but were not enforced at the network level on newly provisioned Redis instances.

Published Apr 3, 2026|Affected:redis
WAYSCLOUD-TR-2026-0004|Operational Deviation|mediumResolved

Permission Model Conflict During Apache to LiteSpeed Migration

A permission mismatch during Apache-to-LiteSpeed migration caused brief website errors. Rolled back within minutes, now resolved.

Published Apr 3, 2026|Affected:hosting
WAYSCLOUD-TR-2026-0002|Security Report|highResolved

Inconsistent tenant context in administrative support mode

The 'view as customer' support mode did not consistently apply tenant context across services, causing mixed data display.

Published Apr 2, 2026|Affected:identityapistoragednscompute
WAYSCLOUD-TR-2026-0001|Government / Authority Contact|highResolved

False positive CSAM alert involving test data and external IP

A false positive CSAM alert was triggered by test data in production. Formal review confirmed no real content was involved.

Published Mar 12, 2026|Affected:storagemonitoring
WAYSCLOUD-TR-2026-0003|Transparency Report|informationalInformational

Position on proposed EU CSAR regulation and cloud implications

WAYSCloud's formal position on the proposed EU CSAR regulation and its implications for encryption, sovereignty, and providers.

Published Oct 12, 2025
WAYSCLOUD-TR-2025-0001|Privacy / Data Handling Report|highResolved

Historical supplier-related data incident involving controlled recruitment and security documents

This retrospective report documents a historical supplier-related data incident involving Fortified Technologies AS, a cybersecurity supplier engaged by WAYSCloud for security strategy, CSF 2.0-related work and security-related assessments. The incident concerned manual, browser-based downloads from an isolated and access-controlled collaboration workspace that had been established as a security measure. WAYSCloud reported the incident to the Norwegian Data Protection Authority under reference AR644275154, notified affected individuals, removed supplier access and strengthened controls for sensitive collaboration areas.

Published Apr 29, 2025