Security & trust

Your customer data is the product. We treat it that way.

Meta-grade message security, SOC 2 controls in progress, GDPR and DPDP compliance, and a real audit log your legal team can export.

SOC 2 Type IIIn progress · Q3 2026
ISO 27001Roadmap · 2026
GDPRCompliant
India DPDPCompliant
Layer 01Data protection

Every customer message, contact, and credential is encrypted at rest and in transit. No exceptions, no "soon" line items.

AES-256 at restAll databases, message payloads, and backups encrypted with per-customer keys.
TLS 1.2+ in transitEvery API request, webhook, and internal service call. No plain-HTTP endpoints exist.
Key rotation & HSM-backed secretsCustomer keys rotate every 90 days; root keys stored in AWS KMS (FIPS 140-2 Level 3).
Layer 02Access & identity

Your team's access controls should match the rest of your stack — not introduce a new set of passwords.

SSO / SAML 2.0Okta, Google Workspace, Microsoft Entra, JumpCloud. SCIM provisioning on Enterprise.
Role-based access controlAdmin, Manager, Agent, Viewer — plus custom roles on Enterprise.
2FA required for adminsTOTP or hardware-key 2FA is mandatory for any user who can manage templates or billing.
IP allow-lists & session controlsEnterprise can restrict dashboard access to specific IP ranges and set max session length.
Layer 03Infrastructure

We run on AWS in regions that match your compliance needs, with isolation and disaster recovery baked in.

AWS Mumbai + Singapore, UAE on requestData residency options for India, APAC, and UAE customers.
Multi-AZ deployment, automated backupsHourly snapshots, 30-day retention, cross-region disaster recovery.
99.9% uptime SLAMeasured at the API gateway. Status page and incident history public.
Layer 04Governance

Boards and legal teams care about paper trails. We give them one.

Immutable audit logEvery admin action — template approvals, exports, user invites, retention changes — logged for 12 months and exportable as CSV or JSON.
Signed DPA & sub-processor listStandard DPA on all paid plans. Custom DPA available on Enterprise.
Annual third-party penetration testingResults shared under NDA on Enterprise request.
24-hour breach notificationIncident notification policy exceeds GDPR and DPDP minimums.
Compliance status

Where we stand, in plain English

Procurement teams hate vague "compliant with everything" claims. Here is the honest status of every framework enterprise buyers ask about.

Framework Status Notes
GDPR (EU / EEA)CompliantStandard DPA on all paid plans. EU SCCs for data transfers.
India DPDP ActCompliantMumbai data residency available. Indian entity, Indian contract law.
UAE Federal PDPLCompliantDubai-HQ team. UAE data residency on request (Enterprise).
Netherlands AVG / KSA PDPLCompliantAVG follows GDPR framework. KSA PDPL aligned.
WhatsApp Business PolicyCompliantOfficial Meta Business Partner. Policy enforcement built into the product.
SOC 2 Type IIIn progressObservation period Q2 2026. Readiness report available under NDA.
ISO 27001On roadmapInternal controls aligned. Certification target 2027.
PCI DSSNot applicableWe don't store card data. Payments handled by PCI-DSS Level 1 processors.
HIPAA / BAANot applicableWhatsApp is not a HIPAA-covered channel. Avoid sending PHI.

Last reviewed 18 April 2026. Email [email protected] for framework-specific documentation.

Sub-processors

The handful of vendors who touch your data

Every vendor below is bound by a DPA with equivalent protections. The complete and current list is in the signed DPA you receive when you start.

Meta Platforms, Inc.WhatsApp Business API · Ireland (EU) + US

The underlying messaging network. All WhatsApp conversations are end-to-end encrypted between businesses and users by Meta; we operate the Business Solution Provider layer on top.

Amazon Web Services (AWS)Hosting · Mumbai (ap-south-1), Singapore (ap-southeast-1)

Compute, storage, databases, managed services. Customer data pinned to the region closest to your contracted data-residency preference. UAE region on request for Enterprise.

CloudflareCDN, DDoS, WAF · global edge

Static asset delivery and edge security. Does not process or store message content.

Payment processorsRazorpay (India) · Stripe (international)

Card and UPI transactions. PCI-DSS Level 1 certified. Go4whatsup never stores card data; processors hold the vault.

Transactional email providerInvoice receipts, password resets, admin notifications

Disclosed in signed DPA. Does not process message content; used only for account and billing emails to admins you designate.

Material changes to this list are notified to the admin email on your account 30 days in advance.

Trust FAQ

The 10 questions procurement always asks

Short, direct answers you can paste into your vendor-review spreadsheet.

Where is my data stored?

Customer-facing message data lives in the AWS region you pick at onboarding — Mumbai by default, Singapore for APAC, UAE on request (Enterprise). Backups stay within the same regional boundary. Metadata for authentication and billing lives in AWS Mumbai.

Can you sign our custom DPA?

Yes, on Enterprise plans. On Starter and Growth we use our standard DPA, which is already GDPR-, DPDP-, and UAE-PDPL-aligned. Legal review turnaround is usually 3–5 business days for custom redlines.

Do you train AI models on my customer data?

No. Your conversations are never used to train public or shared AI models. AI features operate on your data only to draft replies, classify intents, and translate — all within your tenant. You can disable AI features entirely at the workspace level.

What's your breach notification SLA?

24 hours from confirmed detection — tighter than GDPR's 72-hour floor. You get written notification to your designated security contact with scope, impact, root-cause, and remediation steps.

How do you handle data deletion requests?

End-user deletion (DSR / DPDP request) is handled within 30 days. Admin-initiated full-workspace deletion purges primary and backup systems within 90 days. Proof-of-deletion certificate available on request.

Can I export all my data?

Yes. Full conversation history, contacts, templates, and audit logs are exportable as CSV or JSON from the admin console at any time — no support ticket, no fee, no contract exit clause required.

Who inside Go4whatsup can access my messages?

Access is restricted to on-call engineering staff with MFA, least-privilege IAM roles, and mandatory audit logging. All access is logged to an immutable trail and reviewed monthly. Customer-initiated support cases are the only routine reason anyone reads message content — and even then only the specific conversation you flag.

Do you support SSO / SAML?

Yes. SAML 2.0 with Okta, Google Workspace, Microsoft Entra ID, and JumpCloud out of the box. SCIM 2.0 user provisioning on Enterprise. Custom IdPs supported — ask your AE.

What happens if Go4whatsup shuts down or gets acquired?

Your data stays yours. On a wind-down you get 90 days of read-only access plus an export. On an acquisition, your existing contract and DPA follow the data — material privacy-impacting changes trigger your right to terminate and export.

Are penetration test results available?

Yes, summary report available under NDA to Enterprise buyers. Tests are run annually by an independent CREST-accredited firm; findings and their remediation status are included.

Question not answered here? Email [email protected] with "Security question" in the subject. We reply within 1 business day — most RFP-style questionnaires are answered the same week.
Documents

Security & compliance documents

Some documents require a signed NDA — request access via [email protected] with "Security docs" in the subject.

Privacy PolicyPublic · effective 18 April 2026
Compliance & DPA overviewPublic · all paid plans
Sub-processor listOn request · NDA required
Penetration test summaryOn request · NDA required
SOC 2 readiness reportOn request · Enterprise
Responsible disclosure: security researchers — if you find an issue, email [email protected] with "Security" in the subject. We commit to a first response within 72 hours and won't pursue legal action for good-faith research.