Security and PII

Milan Motavar
By Milan MotavarSeptember 20256 min read

When you connect your WhatsApp number, you are trusting us with sensitive data. We take that responsibility seriously. From day one, security and privacy have been part of our architecture decisions.

We want to share how we protect data in transit, at rest, and in use. Our goal is simple: give you peace of mind that your customer conversations are safe.

Data in Transit

All traffic between our services and external clients is encrypted using TLS 1.2+.

  • API calls to api.sendzen.io are only accepted over HTTPS.
  • Webhooks are validated with HMAC signatures so we can detect tampering.
  • Internal service-to-service communication (Lambda → RDS, Lambda → DynamoDB) also uses TLS, even though it happens inside a private VPC.
  • We don't allow plaintext connections, even for "internal" traffic.

Data at Rest

All sensitive data is encrypted at rest using AWS KMS keys.

  • PII (e.g. customer phone numbers, WhatsApp IDs, message logs) is stored encrypted in RDS and DynamoDB.
  • Secrets (e.g. WhatsApp tokens, business IDs) are never stored in plaintext. They are managed in AWS Secrets Manager.
  • Backups on S3 are encrypted with bucket-level policies and customer-managed keys.

This ensures that even if someone accessed raw storage, they would not be able to read sensitive content.

Token and Key Management

WhatsApp access tokens, business IDs, and phone IDs are the crown jewels. Our handling approach:

  • Stored only in AWS Secrets Manager, rotated automatically.
  • Accessible only to specific Lambda functions with strict IAM policies.
  • Never exposed to frontend or client-side code.
  • We treat tokens as ephemeral. If compromised, they can be revoked and rotated without downtime.

Logging and Monitoring

We log enough to detect incidents, but never log sensitive content.

  • CloudWatch captures system-level metrics and error rates.
  • Application logs are scrubbed so that no phone numbers, tokens, or message bodies are written.
  • Audit logs exist for all admin actions: API key creation, role assignment, token updates.

This balance lets us investigate issues without risking leaks.

GDPR, CCPA, and Regional Compliance

We are architected with compliance in mind:

  • Data minimization: We only store what is needed for message delivery and analytics.
  • Right to be forgotten: Customer data can be deleted permanently from RDS, DynamoDB, and S3.
  • Regional residency: For EU customers, we host in eu-west-1 (Ireland). For others, we are expanding region-specific deployments.
  • Audit readiness: Our design is aligned with SOC2 principles (security, availability, confidentiality).

Data Residency in Europe

All customer data for EU accounts is stored and processed within AWS Europe (Ireland) (eu-west-1). This ensures compliance with GDPR requirements around data residency and prevents unnecessary cross-border data transfers. EU-based customers can be confident that their WhatsApp message data never leaves the European region unless explicitly configured by them.

Serverless by Design

We rely heavily on AWS serverless services such as Lambda, API Gateway, App Runner, DynamoDB, and SQS. By choosing managed services instead of self-managed VMs or containers, we reduce our surface area for vulnerabilities.

  • No OS patching: AWS manages the underlying operating systems, so we never have to worry about missing kernel updates or critical CVEs.
  • No network maintenance: VPC networking, scaling, and load balancing are managed by AWS.
  • Automatic updates: Services like Lambda and App Runner are continuously updated by AWS without downtime.

This approach lets our team focus on application-level security (encrypting PII, access controls, token management) while AWS covers the infrastructure-level hardening.

Common Concerns We Hear

"If I connect my WhatsApp number, can your team read my messages?"

No. Messages are encrypted in transit from Meta, stored encrypted at rest, and never exposed to support staff. We cannot casually browse message logs.

"What happens if one customer's account is compromised?"

Each organization has strict data isolation. Tokens and PII are scoped per account. A breach in one account cannot access data from another.

"Do you support self-hosting?"

Yes. For enterprises, we support on-premise or dedicated VPC deployments. This ensures compliance with industries that require full data control (e.g., healthcare, banking).

Our Opinionated View

Many WhatsApp API providers treat security as an afterthought. We don't.

If you are a startup testing an idea, maybe you can live with weak security. But if you are a mid-size or enterprise company attaching your customer conversations, you need guarantees. That's where we differentiate.

We are opinionated about this: security should not be optional. It is core infrastructure, not a feature.

Closing Thoughts

Attaching your WhatsApp number to a third-party platform is a sensitive decision. Our approach ensures:

  • Data is encrypted everywhere.
  • Secrets are tightly controlled.
  • Logs are clean but auditable.
  • Compliance is built-in, not bolted on.

We want CTOs, architects, and developers to feel at ease choosing us. Because reliable messaging is only valuable when it is also secure messaging.

Security and PII - SendZen Blog | SendZen