How we protect your WhatsApp and your customer data.
Security is a feature, not a checkbox. Here's the short, honest version of what we do — and don't claim — today.
AES-256-GCM token encryption
WhatsApp Business API access tokens are encrypted at rest using AES-256-GCM with an environment-managed 32-byte key. We never log tokens, never return them in API responses, and only store the last 4 characters (masked) for UI display.
Official Meta Tech Provider
WapiSnap is a Recognised Meta Tech Provider. Your WhatsApp Business Account is onboarded through Meta's approved Embedded Signup flow, or you connect your own WABA (BYOWABA) and retain full ownership.
Workspace-scoped data model
Every business record is tagged with a workspaceId at the database level. All queries pass through workspace guards — no cross-tenant data leaks by construction, not just by policy.
Role-Based Access Control
Four roles — Owner, Admin, Agent, Analyst — with explicit permission checks on every API endpoint. Membership is verified on every request; removed users lose access immediately.
Idempotent webhook processing
Inbound WhatsApp webhooks are de-duplicated by SHA-256 idempotency key and coordinated across instances via a Redis distributed lock. Even if Meta retries, we process each event exactly once.
Audit logs for sensitive actions
Admin actions — invites, role changes, template submissions, preview sends, takeovers — write an AuditLog entry with actor, timestamp, and metadata. Full traceability when you need it.
Rate limiting and input validation
API rate limits at multiple windows (3/s short, 20/10s medium, 100/min long). Input validated with Zod schemas at every boundary. No unchecked input reaches business logic.
Secure defaults, explicit exceptions
Deny-by-default across guards and permissions. Features gated by plan via PlanGuard. Secrets never committed to git. Tokens never logged. If you can think of a footgun, we've tried to remove it.
What we don't claim (yet)
We don't have SOC 2 or ISO 27001 certifications today. We don't pretend to. These cost time and auditors, and at our stage every quarter of that effort is a quarter we're not building product. We will pursue them when the ROI is right for customers.
What we do today is publish a clear, specific description of our security posture — the things listed above. You can verify them against our code and our behaviour. If you need something stronger to sign a deal, talk to us — we'll tell you honestly whether we're the right fit.
Your WhatsApp. Your AI. Your rules.
Join businesses automating WhatsApp without vendor lock-in.