Back to Home

Security

Last Updated: March 12, 2026

At App-ening, security is foundational to everything we do. Built on the official WhatsApp Business API via Gupshup (an authorized BSP), we handle sensitive business communications and implement enterprise-grade security measures to protect your data and your customers' information.

Our Commitment: We are committed to maintaining the highest standards of security and continuously improving our security posture. Your trust is our top priority.

1. Infrastructure Security

1.1 Cloud Infrastructure

Our platform is hosted on Amazon Web Services (AWS), a leading cloud provider with comprehensive security certifications:

  • Data Centers: AWS data centers feature multi-layered physical security with 24/7 monitoring
  • Network Security: Virtual Private Cloud (VPC) with strict network access controls
  • Redundancy: Cloud deployment on AWS with automated monitoring and alerting
  • Disaster Recovery: Automated backups with point-in-time recovery

1.2 Network Security

  • Security Groups: Strict inbound/outbound firewall rules controlling access to all services
  • DDoS Protection: AWS Shield Standard protection against common network-layer attacks
  • Monitoring: Automated health monitoring, Sentry error tracking, and Slack alerting for anomalies
  • Traffic Encryption: All traffic encrypted via TLS 1.3

2. Data Encryption

2.1 Encryption in Transit

All data transmitted to and from App-ening is encrypted:

  • TLS 1.3 encryption for all API communications
  • HTTPS enforced across all web interfaces
  • HSTS (HTTP Strict Transport Security) enforced
  • Secure WebSocket connections for real-time features

2.2 Encryption at Rest

All stored data is encrypted using industry-standard algorithms:

  • Database: AES-256 encryption for all database storage
  • File Storage: Server-side encryption for all uploaded files
  • Backups: Encrypted backups with secure key management
  • PII Data: Additional encryption layer for personally identifiable information

2.3 WhatsApp End-to-End Encryption

WhatsApp messages sent through our platform benefit from WhatsApp's end-to-end encryption. Message content is encrypted on the sender's device and can only be decrypted by the intended recipient.

3. Application Security

3.1 Secure Development

  • Secure SDLC: Security integrated into every phase of development
  • Code Reviews: Mandatory peer review for all code changes
  • Static Analysis: Automated security scanning of source code
  • Dependency Scanning: Regular vulnerability scanning of third-party libraries

3.2 Authentication & Access Control

  • Strong Passwords: Enforced password complexity requirements
  • Google SSO: Sign in with Google for secure, passwordless authentication
  • Session Management: Secure session handling with automatic timeouts
  • Role-Based Access: Granular permissions for team members
  • API Security: Secure API key management with scoped permissions

3.3 Vulnerability Management

  • Automated vulnerability scanning via OWASP ZAP and Snyk (weekly CI/CD)
  • Responsible disclosure program for security researchers
  • Timely patching of identified vulnerabilities

4. Operational Security

4.1 Employee Security

  • Production Access: Access to production systems requires SSH key authentication and is restricted to the founding team
  • Least Privilege: Access limited to what's necessary for job functions

4.2 Incident Response

We maintain a comprehensive incident response program:

  • Automated monitoring via Sentry error tracking and health check crons. Slack-based alerting for service failures.
  • Documented incident response procedures
  • Post-incident analysis and improvement
  • Customer notification procedures for security events

4.3 Business Continuity

  • Automated service restart on failure via health monitoring
  • Regular backup testing and recovery drills
  • Best-effort uptime with automated service recovery and monitoring

5. Compliance & Certifications

5.1 WhatsApp Business Compliance

Built on the official WhatsApp Business API via Gupshup (an authorized BSP), we comply with:

  • Meta's WhatsApp Business Policy
  • WhatsApp Business Data Processing Terms
  • Template message guidelines and approval processes
  • Opt-in/opt-out consent requirements

5.2 Data Protection Regulations

  • GDPR: PII encryption, data deletion endpoints, and consent management aligned with GDPR principles
  • IT Act 2000: Compliant with India's Information Technology Act
  • DPDP Act: Aligned with India's Digital Personal Data Protection Act

5.3 Payment Security

  • Payment processing through Razorpay (PCI-DSS compliant)
  • No storage of full payment card details
  • Secure payment tokenization

6. Data Privacy

6.1 Data Minimization

We collect only the data necessary to provide our services:

  • Clear purpose for each data element collected
  • Regular review and deletion of unnecessary data
  • Configurable data retention periods

6.2 Data Isolation

  • Multi-Tenant Security: Strict logical separation between customer data
  • Account Boundaries: No cross-account data access
  • Audit Logging: Complete audit trail of data access

7. Security Best Practices for Users

We recommend the following security practices for App-ening users:

  • Use strong, unique passwords for your App-ening account
  • Enable two-factor authentication when available
  • Regularly review team member access and permissions
  • Keep API keys secure and rotate them periodically
  • Monitor account activity for suspicious behavior
  • Report any security concerns immediately

8. Reporting Security Issues

If you discover a security vulnerability, please report it responsibly:

  • Email: security@app-ening.com
  • Include detailed steps to reproduce the issue
  • We will acknowledge receipt within 24 hours
  • We commit to working with researchers in good faith

9. Contact Us

For security-related questions or concerns: