Waslo

Security

Last updated: February 7, 2026

Security is fundamental to Waslo. We handle sensitive business communications and lead data, and we take that responsibility seriously. Here is how we protect your data.

Encryption

In Transit

All communication between your browser and Waslo is encrypted using TLS (HTTPS). API requests, authentication tokens, and all data transfers are encrypted in transit.

At Rest

Sensitive data — including WhatsApp authentication state and integration credentials — is encrypted using industry-standard authenticated encryption before storage.

Authentication and Access Control

  • Token-Based Authentication — all API requests are authenticated using secure tokens with configurable expiration.
  • Password Hashing — passwords are hashed using strong, salted hashing algorithms before storage.
  • OAuth Support — Google OAuth provides an additional secure authentication option.
  • Rate Limiting — API endpoints are protected with rate limiting to prevent brute-force and abuse attacks.
  • Security Headers — we enforce security-focused HTTP headers including Content Security Policy, X-Frame-Options, and others.

Multi-Tenant Data Isolation

Waslo is a multi-tenant platform. Every data query is scoped by organization, extracted from the authenticated session. This ensures that one organization can never access another organization's data — including leads, conversations, configurations, and integrations.

Infrastructure

Our platform is hosted on enterprise-grade cloud infrastructure with:

  • Automatic HTTPS and DDoS protection
  • Global CDN for fast, reliable access
  • Network isolation between services
  • Encrypted database connections and regular backups
  • Private networking for internal service communication

Application Security Practices

  • Input validation on all API endpoints to prevent injection attacks
  • CORS restrictions to prevent unauthorized cross-origin requests
  • Idempotency checks on message processing to prevent duplicate handling
  • No default credentials — all administrative access requires explicit configuration
  • Encrypted message queue processing for reliable, secure data flow

What We Don't Do

  • We do not store raw WhatsApp authentication credentials — only the encrypted session state
  • We do not share your data with third parties for advertising purposes
  • We do not use your conversation data to train AI models

Reporting Security Issues

If you discover a security vulnerability, please report it responsibly by emailing hello@waslo.io with the subject line "Security Report". We take all reports seriously and will respond promptly.