will be having some technical issue will live soon !
Whatapi Logo
Back to Legal

Security

Last updated: July 9, 2026

1. Our Security Commitment

At Whatapi, security is foundational to everything we build. As a platform that processes business communications and customer data, we are committed to maintaining the highest standards of security, privacy, and compliance. This page outlines the security measures we have implemented to protect your data, our infrastructure, and our users.

Our security program is continuously reviewed and updated to address emerging threats, comply with regulatory requirements, and align with industry best practices.

2. Encryption Standards

Data in Transit: All data transmitted between your browser or application and our servers is encrypted using Transport Layer Security (TLS) 1.3 protocol, the latest and most secure version available. This includes all API requests, dashboard interactions, and webhook callbacks. We enforce HTTPS across all services and HSTS preloading to prevent downgrade attacks.

Data at Rest: Data stored in our databases is encrypted using AES-256 encryption. This includes customer information, message metadata, API keys, integration credentials, and billing records. Encryption keys are managed through a secure key management system with strict access controls and automatic rotation.

End-to-End Encryption: While WhatsApp itself provides end-to-end encryption for messages between users, Whatapi acts as a Business Solution Provider (BSP) and routes messages through the WhatsApp Business API. Message content is encrypted in transit between our servers and WhatsApp's infrastructure.

3. Infrastructure Security

Cloud Infrastructure: Our services are hosted on Google Cloud Platform (GCP) and Firebase, leveraging their enterprise-grade security infrastructure. This includes:

  • Physically secured data centers with 24/7 monitoring, biometric access controls, and redundant power and cooling systems.
  • Google Cloud's security certifications including SOC 1/2/3, ISO 27001, PCI DSS, and FedRAMP.
  • Multi-region deployment for disaster recovery and high availability.

Network Security: We implement multiple layers of network security:

  • Web Application Firewall (WAF) to protect against common web attacks (SQL injection, XSS, CSRF).
  • DDoS mitigation through Cloudflare's global network.
  • IP whitelisting, rate limiting, and request throttling.
  • Regular vulnerability scanning and penetration testing.

Database Security: Firestore databases are protected with:

  • Strict security rules that validate every read and write operation.
  • Server-side validation and sanitization of all inputs.
  • Automated backups with point-in-time recovery.
  • Network isolation with no direct public access to databases.

4. Authentication & Access Control

User Authentication: We use Firebase Authentication for secure user login, supporting:

  • Email and password authentication with bcrypt password hashing.
  • Google and social login options.
  • Multi-factor authentication (MFA) support for enhanced account security.
  • Session management with automatic timeout for inactive sessions.

API Authentication: All API requests must be authenticated using:

  • Firebase ID tokens for client-side API calls, verified server-side.
  • API keys for server-to-server integrations, stored encrypted with restricted access.
  • JWT (JSON Web Token) based authentication for webhook callbacks.

Role-Based Access Control (RBAC): We implement granular permission controls:

  • Admin, manager, and staff roles with configurable permissions.
  • Access to sensitive operations (e.g., API key generation, billing changes) requires elevated privileges.
  • Audit logging of all administrative actions.

5. Application Security

Secure Development Lifecycle: Security is integrated into our development process:

  • Code reviews for every change with security-focused review checklists.
  • Automated static code analysis (SAST) to detect vulnerabilities.
  • Dependency scanning to identify and patch vulnerable libraries.
  • Regular penetration testing by internal and third-party security teams.

Input Validation & Sanitization: All user inputs are validated and sanitized server-side to prevent:

  • Cross-Site Scripting (XSS) attacks.
  • SQL/NoSQL injection attempts.
  • Command injection and path traversal.
  • Server-Side Request Forgery (SSRF).

API Security: Our RESTful API follows security best practices:

  • Rate limiting per API key and IP address.
  • Request validation with strict schema checking.
  • Secure CORS configuration limiting cross-origin requests.
  • No sensitive data in URL parameters (all sent in request body).

6. Data Protection & Privacy

Data Minimization: We collect only the data necessary to provide our Services. Message body content is not stored on our servers beyond what is required for real-time routing. We retain message metadata (status, timestamps, delivery reports) for analytics purposes only.

Data Segregation: Customer data is logically segregated at the database level using tenant-specific security rules. Each customer can only access their own data, messages, and configuration.

Data Deletion: Upon account termination, customer data is scheduled for secure deletion within 90 days. We provide tools to export your data before termination.

Backup & Recovery: Automated backups are performed daily with 30-day retention. Backups are encrypted and stored in geographically separate locations.

7. Compliance & Certifications

Whatapi is committed to compliance with global security and privacy standards:

  • GDPR: We comply with the General Data Protection Regulation for users in the European Economic Area. This includes data processing agreements, data protection impact assessments, and honoring data subject rights.
  • CCPA: We comply with the California Consumer Privacy Act, providing California residents with rights to access, delete, and opt out of the sale of their personal data.
  • WhatsApp Business Messaging Policy: We adhere to Meta's WhatsApp Business API policies, including opt-in requirements, message templates, and quality rating standards.
  • PCI DSS: Payment card data is handled entirely by Stripe, a PCI DSS Level 1 certified payment processor. We never store or process raw payment card data.

8. Incident Response & Reporting

We maintain a documented incident response plan to handle security events effectively:

  • Detection: Automated monitoring systems alert our security team of potential incidents in real time.
  • Containment: Immediate steps are taken to isolate affected systems and prevent further compromise.
  • Investigation: A thorough forensic analysis is conducted to determine the root cause and impact.
  • Remediation: Vulnerabilities are patched, and affected systems are restored to a secure state.
  • Notification: Affected users and relevant regulatory authorities are notified as required by applicable laws and our terms of service.

If you suspect a security vulnerability or have concerns about a potential incident, please contact our security team immediately at security@whatapi.pk. We encourage responsible disclosure of security vulnerabilities and will respond promptly to verified reports.

9. Security Best Practices for Users

While we implement robust security measures, your actions also play a crucial role in maintaining security. We recommend:

  • Strong Passwords: Use unique, complex passwords for your Whatapi account. Avoid reusing passwords from other services.
  • Multi-Factor Authentication: Enable MFA for an additional layer of account protection.
  • API Key Security: Never share your API keys publicly. Store them securely using environment variables or a secrets manager.
  • Regular Audits: Regularly review your account activity, API usage, and user permissions.
  • Logout: Always log out from shared or public devices.
  • Updates: Keep your integration libraries and SDKs up to date with the latest security patches.

10. Reporting Security Issues

We take security reports seriously. If you have discovered a security vulnerability in our platform, please contact us:

  • Security Email: security@whatapi.pk
  • Support Email: support@whatapi.pk

We aim to acknowledge receipt of vulnerability reports within 24 hours and provide an initial assessment within 72 hours. We practice responsible disclosure and will coordinate with you on the timeline for public disclosure after a fix has been deployed.