Data Security Policy
Data Security Policy
Last updated: 2026-07-16
This data security policy applies to the website, products and services offered under the brand WAAPI, operated by WAAPI (“we”, “us”, “our”), acting as the business. By accessing or using our services you agree to this data security policy. If you do not agree, please discontinue use of the services.
1. Our commitment
Protecting customer data is core to the platform. We apply technical and organisational measures appropriate to the risk, consistent with the IT Act, 2000 (including the SPDI Rules), the DPDP Act, 2023 and — where applicable — Article 32 of the GDPR.
2. Technical measures
- Encryption in transit (HTTPS/TLS) across every public endpoint.
- Encryption or hashing of sensitive values at rest — passwords are salted-hashed; API tokens, channel access tokens and gateway credentials are stored encrypted with AES-256-GCM.
- Strict tenant isolation — every record is scoped to your account and the scope is enforced server-side on every request, never in the browser.
- Role-based access control for panel users, and API keys with individually scoped permissions.
- Audit logging of administrative and security-relevant actions.
- Webhook signature verification and rate limiting on public endpoints.
- Two-factor authentication and passkey (WebAuthn) sign-in available on all panels.
3. Organisational measures
Access to production systems is restricted to authorised personnel on a need-to-know basis and is logged. Backups are taken regularly and restore-tested. Sub-processors are assessed before use and bound by data-protection terms.
4. Incident response
Suspected incidents are triaged immediately under our Data Breach & Incident Notification Policy.
5. Reporting a vulnerability
See our Information Security & Vulnerability Disclosure page — we welcome good-faith reports and will not pursue researchers who follow it.
6. Your responsibilities
Use strong, unique passwords; enable two-factor authentication; protect your API keys and channel tokens; review your team members’ permissions; and report suspected compromise to us immediately.
Governing law & jurisdiction
This document is governed by the laws of India. For operators in India this includes the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the Consumer Protection Act, 2019. Where we serve customers in other jurisdictions we honour applicable local requirements, including the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), to the extent they apply. Courts at India have exclusive jurisdiction, subject to any non-waivable consumer rights in your country of residence.
Contact us
WAAPI is operated by WAAPI. For any question about this document, contact us:
- Email: support@thewaapi.com
- Registered address: India