In November 2024, WAYSCloud experienced a supplier-related data incident that became deeply personal to me.
Not because our production systems were affected. They were not.
Not because customer workloads, databases, authentication systems, payment systems, live infrastructure or service availability were affected. They were not.
But because the incident touched something more fundamental: trust.
At the time, we were building WAYSCloud under real pressure. We were a young company, dependent on good partners, good judgement and the belief that the people around us understood the seriousness of what we were trying to build.
We had chosen partners we believed were strong, professional and trustworthy.
That is why the incident came as such a shock.
The matter involved a controlled collaboration workspace used in a cybersecurity-related supplier engagement. The workspace had been established as a security measure: isolated, access-controlled, authenticated and logged. It contained recruitment material for security-critical roles, including CISO and security architect candidates, as well as selected internal business, security and infrastructure documents.
On 19 November 2024, 66 documents were manually downloaded file by file through the browser by a supplier user account.
The activity was detected by WAYSCloud’s monitoring systems on 21 November 2024 at 23:03. At 23:14 the same evening, we contacted the supplier and requested an explanation, the status of the downloaded copies and information about deletion.
Over the following days, the matter escalated quickly. We reported the incident to the Norwegian Data Protection Authority, received a response through the supplier’s legal representative, submitted supplementary information, reduced the number of potentially affected individuals after further review, and began notification follow-up.
A few days later, we sent a formal deletion and verification request, asking for confirmation covering local devices, backups, email systems, archive systems and any further copies. The formal retrospective report is published in the WAYSCloud Trust Center: Supplier-related data incident involving controlled recruitment and security documents.
When the story became harder
The difficult part was not only the download activity itself.
It was what followed.
From our perspective, the core issue was not whether the supplier had access to view and work with material inside the workspace. The issue was that sensitive material had been moved out of a controlled environment, and we needed verifiable information about storage, deletion, backups and any further copies.
The following months were demanding.
What began, for us, as a serious data protection and supplier-governance matter became entangled with a broader commercial dispute. Publicly, parts of the discussion shifted toward motives, invoices and whether we were using the incident as a way to avoid obligations.
That was painful to experience.
We were trying to document what we believed was a real security and accountability issue. At the same time, the focus around us increasingly moved toward character, timing and commercial conflict.
And yes, there were unpaid invoices. That was true.
Startups are not risk-free customers, just as suppliers are not risk-free partners. Commercial disputes happen. They should be handled as commercial disputes.
But a billing dispute does not answer questions about downloaded material, deletion, backups, copies or verification.
That distinction mattered to me then, and it still matters to me now.
What matters after something goes wrong
Because when sensitive recruitment and security-related material has left a controlled environment, the responsible thing is not to collapse everything into a commercial disagreement.
The responsible thing is to establish facts, contain risk, notify people where necessary, preserve documentation and improve controls.
That is what we tried to do.
We reported the matter to the Norwegian Data Protection Authority. We notified affected individuals. We removed access, requested deletion evidence, asked for clarification on backups and copies, reviewed our collaboration controls and documented the timeline publicly in our Trust Center.
Some of those answers never became as clear as I had hoped. That remains uncomfortable. But the case itself was later closed by the Norwegian Data Protection Authority on 31 January 2025, after the authority confirmed that necessary measures had been implemented.
The public case report remains available here: WAYSCloud Trust Center report WAYSCLOUD-TR-2025-0001.
Why this changed WAYSCloud
For me, that period changed WAYSCloud. Not because it gave us a perfect process. It did not.
It changed us because it forced a choice. We could become more closed, more defensive and more careful about saying anything uncomfortable.
Or we could go the other way. We chose the other way.
That is why our Trust Center exists.
Not as a marketing page, and not as a place to pretend that nothing difficult ever happens. It exists because trust needs memory. It needs timelines. It needs uncomfortable facts to be preserved after the noise has moved on.
I wish this incident had never happened. But I also know it made WAYSCloud more serious.
It taught us that logging is not enough. Access control is not enough. Good intentions are not enough. A controlled workspace is only truly controlled when the paths out of it are controlled too.
Most of all, it taught me that transparency is easy when the story is flattering. The real test comes when the facts are messy, the timing is bad and people disagree about what happened.
Trust is not the absence of failure.
Trust is what remains when failure is handled properly.