Weflux

Security

Last updated: May 23, 2026

Security is foundational to a customer engagement platform. Weflux handles WhatsApp Business credentials and millions of customer conversations, so we treat security as a first‑class engineering concern.

Data Encryption

  • In transit — all traffic between your browser, our APIs, and Meta uses TLS 1.2+ with modern cipher suites.
  • At rest — databases are encrypted using AES‑256. Backups are encrypted with separate keys.
  • Secrets — WhatsApp access tokens, webhook verify tokens, and SMTP passwords are encrypted with AES‑256 before being stored. Decryption happens only in‑memory on the worker that needs it.
  • Passwords — hashed with bcrypt (cost factor 10+). We never store or log plaintext passwords.

Authentication & Access Control

  • Stateless authentication based on JWT access tokens (7‑day expiry) and refresh tokens (30‑day expiry).
  • Role‑based access control: Admin, Manager, Agent — with progressively narrower permissions.
  • Workspace isolation: every database query is scoped to orgId at the ORM layer; cross‑tenant data leakage is structurally prevented.
  • Sessions are revocable from Settings → Team Members.

Infrastructure

  • Hosting — Vercel (SOC 2 Type 2, ISO 27001) with automatic DDoS mitigation and a managed Web Application Firewall.
  • Database — Supabase managed PostgreSQL with point‑in‑time recovery and 35‑day backup retention.
  • Cache & queues — Upstash Redis with TLS‑only connections.
  • Regions — primary infrastructure in Mumbai (India), with failover in Singapore.

Application Security

  • All API routes require authentication; unauthenticated calls return 401 immediately.
  • Parameterised SQL queries via Prisma — no string concatenation, no injection risk.
  • Strict Content Security Policy and HSTS headers.
  • Rate limiting per IP and per workspace to prevent abuse.
  • Webhook signatures from Meta are verified using the configured verify token.

WhatsApp Platform Compliance

  • We comply with Meta's Platform Terms and the WhatsApp Business Solution Terms.
  • Permanent access tokens are stored encrypted; we never display them after the initial setup.
  • Quality rating and messaging limits are surfaced inside the dashboard so you can react to platform signals quickly.

Privacy & Data Handling

  • We act as a data processor on behalf of you, the data controller.
  • End User conversations are never used to train models, share with advertisers, or for any purpose other than delivering the Service.
  • Data deletion is honoured within 30 days — see Data Deletion.

Incident Response

We monitor for anomalous activity 24×7. If we detect a security incident that affects your data, we will notify you within 72 hours of discovery and provide a written post‑mortem within 14 days, in line with GDPR requirements.

Reporting a Vulnerability

We welcome responsible disclosure from security researchers. Please email security@serves.in with reproduction steps and your contact details. We commit to:

  • Acknowledging your report within 48 hours.
  • Providing a status update within 7 days.
  • Crediting you publicly (if you wish) once the issue is resolved.

Please do not access, modify, or delete data that does not belong to you, and do not perform any test that could degrade the Service for other customers.