Information Security & Vulnerability Disclosure

Information Security & Vulnerability Disclosure

Last updated: 2026-07-16

This security policy applies to the website, products and services offered under the brand WAAPI, operated by WAAPI (“we”, “us”, “our”), acting as the business. By accessing or using our services you agree to this security policy. If you do not agree, please discontinue use of the services.

1. Scope

This policy covers the WAAPI web panels, public websites, mobile applications and public APIs operated by us. It does not cover the third-party platforms we integrate with — report issues in those to the provider concerned.

2. Reporting a vulnerability

Report security issues privately to support@thewaapi.com with the subject line “Security — vulnerability report”. Include a description, the steps to reproduce, the impact you believe it has, and any proof-of-concept. We acknowledge reports within 72 hours and aim to give a remediation timeline within 10 business days.

3. Safe harbour

We will not pursue legal action against researchers who act in good faith under this policy: test only against your own account, do not access, modify or exfiltrate other customers’ data, do not degrade the service (no denial-of-service, no automated high-volume scanning), do not use social engineering or physical attacks, and give us reasonable time to fix an issue before disclosing it publicly.

4. Out of scope

Reports without demonstrable impact — missing best-practice headers, self-XSS, rate-limit findings on unauthenticated endpoints, outdated library versions with no exploitable path, or automated-scanner output with no proof of exploitation — are acknowledged but generally not actioned.

5. Our internal controls

We operate least-privilege access to production, mandatory review on changes to authentication and tenant-isolation code, dependency monitoring, encrypted secret storage, and audit logging. Details are in the Data Security Policy.

Governing law & jurisdiction

This document is governed by the laws of India. For operators in India this includes the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023 (DPDP Act), the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and the Consumer Protection Act, 2019. Where we serve customers in other jurisdictions we honour applicable local requirements, including the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), to the extent they apply. Courts at India have exclusive jurisdiction, subject to any non-waivable consumer rights in your country of residence.

Contact us

WAAPI is operated by WAAPI. For any question about this document, contact us: