1. Architecture & hosting

Compute & databases run on Railway — application instances, managed PostgreSQL and managed Redis (queue backbone for BullMQ).
File & media storage uses Amazon S3 with private buckets and signed-URL access for client downloads.
Network edge terminates TLS, enforces HTTPS-only and applies CORS allow-listing per origin.
Multi-tenant isolation is enforced at the application layer — every request resolves an authenticated tenant and queries are scoped by tenant id end-to-end.

2. Encryption

In transit: TLS 1.2+ for every external connection — UI, API, webhooks and outbound calls to Meta, Razorpay and AI providers.
At rest: sensitive fields are encrypted with AES-256-GCM before being written to PostgreSQL. Database volumes are encrypted by the hosting provider in addition.
Secrets (API keys, signing secrets, encryption keys) are stored in Railway environment variables and never committed to the repository.

3. Authentication & session security

Passwords are hashed with Argon2id — the OWASP-recommended algorithm, designed to resist GPU and ASIC attacks.
Sessions use signed JWTs delivered as HttpOnly, Secure, SameSitecookies — not accessible from JavaScript and not exposed to XSS.
Forgotten password flows use one-time, short-lived, single-use tokens.
Brute-force protection via per-IP and per-account rate limiting on authentication endpoints.

4. Access control

Production database access is restricted to a small group of authorised engineers; access is logged.
We follow the principle of least privilege for vendor consoles (Railway, AWS, Sentry, Razorpay) and require strong passwords plus two-factor authentication wherever the vendor supports it.
In-product role-based access control allows owners to limit what each team member can see and do.

5. Application security

Input validation on every endpoint using Zod schemas — rejecting unexpected shapes before any business logic runs.
Rate limiting at the framework layer to absorb bursts and slow abuse.
SQL safety via Drizzle ORM with parameterised queries — no hand-built string interpolation.
XSS hardening — React-rendered output escapes by default, and we avoid dangerouslySetInnerHTML on user-supplied content.
Dependency hygiene — we monitor npm advisories and upgrade promptly when CVEs surface.
Error monitoring via Sentry with release tracking, so regressions are caught and triaged quickly.

6. WhatsApp Business API integration

We are a Business Solution Provider on the official Meta WhatsApp Business Cloud API. Tokens, phone-number IDs and webhook subscriptions are managed through Meta's Graph API.
Inbound webhooks from Meta are validated against a shared secret on every request — unsigned or replayed payloads are rejected.
Outbound message templates are submitted through Meta's template approval workflow; we do not bypass Meta's policy enforcement.

7. Payments

Payments are processed by Razorpay, which is PCI DSS Level 1 certified.
Card and UPI credentials never touch our servers. We receive only the order id, payment id, status and a signed webhook from Razorpay.
Razorpay webhook payloads are verified with HMAC SHA-256 against a shared secret before being acted on.

8. AI features (opt-in)

AI features are off by default. They activate only when you explicitly enable them on a workspace.
When enabled, message content is sent to Anthropic (Claude) or OpenAI (GPT) strictly to generate the response. Both providers have committed in their commercial terms not to use API inputs to train their models.

9. Backups & resilience

Managed PostgreSQL is backed up by Railway with point-in-time recovery on supported plans.
Background work runs on BullMQ over Redis with retries, dead-letter queues and idempotent handlers, so transient failures don't lose messages.
We monitor service health and external provider status and surface outages on the in-app system status indicator.

10. Vendors and sub-processors

We use a small set of well-known vendors to operate the platform. Each vendor, the data they process, their region, and a link to their DPA, is published on our Sub-processors page. We update that page when we add or remove a vendor.

11. Compliance posture

Aligned with India's Digital Personal Data Protection Act, 2023.
Aligned with Meta's WhatsApp Business Solution Terms and Business Messaging Policy.
A Data Processing Addendum is available on request — see our DPA page for details.
We do not currently hold ISO 27001 or SOC 2 certifications. We will update this page when we do.

12. Reporting a vulnerability

If you believe you have found a security issue, please email hello@whatrite.dev with the subject line “Security disclosure” and as much detail as you can share — affected endpoint, reproduction steps, and your contact for follow-up.

We commit to acknowledging within 3 business days and to keeping you informed while we investigate. We will not pursue legal action against researchers who follow good-faith responsible disclosure: avoid privacy violations, don't degrade service for other users, and give us reasonable time to fix the issue before going public.