App-ening takes data security seriously. We comply with Personal Data Protection Act (PDPA).
TLS 1.3 in transit, AES-256 at rest. PII fields encrypted with per-tenant keys.
GDPR compliant. Personal Data Protection Act (PDPA) adherent. SOC 2 Type II in progress.
Hosted on AWS with automatic backups, monitoring, and incident response.
All data is processed on Amazon Web Services (AWS) infrastructure with enterprise-grade physical and network security.
Services run inside a Virtual Private Cloud with strict firewall rules and network isolation
AWS Shield Standard protects against common network and transport layer attacks
Point-in-time database recovery. Backups encrypted and stored in separate availability zone
Real-time monitoring with Sentry error tracking and automated service restart on failure
Multiple layers of encryption protect your data at every stage.
All API calls encrypted with TLS 1.3. HSTS enforced. Secure WebSocket for real-time updates
AES-256 encryption for all stored data. Database and file storage both encrypted
Phone numbers and personal data encrypted with per-tenant keys. Separate encryption layer above database encryption
Messages use WhatsApp’s end-to-end encryption via the official Business API
Security is built into our development process, not bolted on after.
Code reviews, static analysis, and automated security scanning on every deployment
Weekly OWASP ZAP and Snyk scans. Dependency audits for known CVEs
Role-based access, 2FA, JWT authentication with token rotation. Google SSO supported
Rate limiting, API key rotation, per-tenant isolation, and request validation on all endpoints
We maintain compliance with international and local data protection standards.
Full compliance with EU General Data Protection Regulation. Data portability, deletion rights, and consent management.
Adherent to local data protection requirements in Singapore. Regular compliance reviews.
Official WhatsApp Business API via authorised BSP (Gupshup). Meta compliance requirements met.
Payment processing via PCI-DSS compliant gateways. We never store card numbers or bank details.
SOC 2 Type II certification in progress. Security, availability, and confidentiality controls audited.
Strict logical separation between accounts. Each tenant’s data is isolated with enforced account boundaries.
We follow data minimisation principles and give you full control over your data.
We only collect data necessary to provide our services. No unnecessary tracking or data harvesting.
Complete audit trail of data access. Know who accessed what and when.
Export your contacts, conversations, and analytics in standard formats (CSV, JSON) at any time.
Request complete account deletion. Personal data removed within 30 days. Backups purged within 90 days.
We have documented procedures for detecting, containing, and resolving security incidents.
Real-time monitoring via Sentry + automated health checks every 5 minutes
Automated service isolation and failover. Slack alerts to engineering team
Root cause analysis, patch deployment, and post-incident review
Affected customers notified within 72 hours as required by GDPR
We recommend these practices to keep your account secure.
At least 12 characters with a mix of letters, numbers, and symbols
Add an extra layer of security with TOTP-based 2FA
Regularly rotate API keys and revoke any that are no longer in use
Check login history and active sessions regularly in your settings
Found a vulnerability? We appreciate responsible disclosure. We acknowledge all reports within 24 hours.
For data requests under Personal Data Protection Act (PDPA), contact privacy@app-ening.com.