Data privacy and security

by design on the WhatsApp

Business Platform
The WhatsApp Business Platform powers communication with
people all over the world, so businesses can connect with their
customers on WhatsApp in a simple, secure and reliable way.
The WhatsApp Business Platform enables businesses to have
conversations with their customers across the customer journey,
from initial discovery through post-purchase support. We
highly value the data privacy and security of both businesses
and their customers, and this document is intended to provide
transparency on the security and compliance practices of the
Cloud API, hosted by Meta.
Contents

Data privacy
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Security by design
Defense in depth . . . . . . . . . . . . . . . . . . . . . . . . 4

Product security . . . . . . . . . . . . . . . . . . . . . . . . 5

Change management . . . . . . . . . . . . . . . . . . . . . . 6

Availability and continuity . . . . . . . . . . . . . . . . . . . . 7

Compliance and security standards

SOC 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Penetration testing . . . . . . . . . . . . . . . . . . . . . . . 8

Security questionnaire . . . . . . . . . . . . . . . . . . . . . . 9

GDPR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Data privacy and security by design on the WhatsApp Business Platform 3

Data privacy
.
Data privacy and security by design on the WhatsApp Business Platform 4

Security by design
The WhatsApp Business Platform is protected by a combination of people, processes
and technology security systems that keeps customer data private and secure. Meta
uses defense in depth, meaning we layer a number of protections to make sure we
prevent and address vulnerabilities in our code from multiple angles. We care deeply
about protecting customer data and we have built the Cloud API with security in mind.

Defense in depth
Keeping Meta safe requires a multi-layered approach to security.

Secure frameworks
Security experts write libraries of code and
new programming languages to prevent
or remove entire classes of bugs

Automated testing tools

Analysis tools scan new and existing code
for potential issues

Peer and design reviews

Human reviewers inspect code changes
and provide feedback to engineers

Red team exercises

Internal security experts stage attacks
to surface any points of vulnerability

Bug bounty program

Outside researchers are incentivized

This layered approach greatly reduces

the number of bugs live on the platform
Data privacy and security by design on the WhatsApp Business Platform 5
Security by design

Product security
Application security: Meta has multiple layers of
security controls built into its software development
lifecycle designed to prevent vulnerabilities
from being introduced into Meta code. Meta
uses third-party security experts to perform
detailed penetration tests on our applications.

White hat program: Meta operates a white hat

bug bounty program which creates incentives for
external users to report security vulnerabilities
on Meta’s platform. Meta has a designated
on-call team that manages the review and
validation of white hat reports. Validated reports
are resolved based on severity level, and
progress is tracked in an internal system.

Vulnerability management: Meta operates

a vulnerability management program to
identify, track and remediate known security
vulnerabilities across Meta’s infrastructure.

Data security: Meta implements state-of-the-

art mechanisms to ensure security of data
(at rest or in transit) and security of software
and hardware components (which are used to
implement the Meta-hosted WhatsApp Business
API service). Traffic in and out of Meta data
centers is encrypted (HTTPS). Traffic within
Meta data centers is encrypted using Transport
Layer Security (TLS). Traffic between WhatsApp
Business API service and WhatsApp servers is require that appropriate security and access
encrypted using the Noise protocol. WhatsApp controls be implemented, taking into account
Business API message content (including text, data type, business need, the nature and
template, and media messages) is stored in purpose of processing, data privacy laws and
an encrypted state on Meta’s data stores. roles and responsibilities of accessing parties.

Meta policies define sensitive data types and

Data privacy and security by design on the WhatsApp Business Platform 6
Security by design

Change management
Code changes are tracked through an
internal tracking system and go through the
following change management process:

• To initiate a change, the change author first

creates a differential, or “diff,” which serves
as documentation of the proposed change,
the test plan for the proposed change, the
results of automated testing of the change,
and review and approval of the change.

• Each diff represents a change to

the code base that a developer has
proposed for use in production.

• Developers check out the code base

from a central repository and load it
into a testing environment in order
to test the proposed change.

• Diffs are run through automated tools that check

for common errors or deviations from best
coding practices and for known code patterns
that raise security or privacy concerns. These
testing tools include features designed to help
the author locate the documentation or resources
needed to resolve any identified issues.

• Testing and approval of the diff are logged

by the system to support the change.
Data privacy and security by design on the WhatsApp Business Platform 7
Security by design

Availability and continuity

Disaster recovery: We maintain a disaster recovery with attention to critical areas of business
program to ensure services remain available or continuity, crisis management, data center
are easily recoverable in the case of a disaster. resiliency and workplace resiliency, as well as
Developers can stay up-to-date on service outages competencies within business units. Meta has
through a publicly available status page. DDoS detection and mitigation mechanisms in
place to protect the network from denial of service
Resiliency: Meta maintains a resiliency attacks. Meta regularly conducts disaster recovery
program for preparing Meta personnel to effectively tests and, based on the learning from these
respond to and recover from an emergency or crisis. tests, works to update and improve its disaster
Meta has a designated team to lead company-wide recovery processes and automated technologies.
efforts to enhance preparedness,
Data privacy and security by design on the WhatsApp Business Platform 8

Compliance and
security standards

SOC 2
SOC 2 is an extensive independent audit of how Meta hosts and
operates the Cloud API, which is performed annually by third-
party auditors. It evaluates the processes in place to ensure the
security, confidentiality and availability of customer data on our
platforms, covering everything from how we secure and protect our
data centers to how we verify the identity and background of our
employees. This is available upon request, subject to an NDA.

Penetration testing
Meta works with external auditors to conduct regular penetration
tests. Features are tested and reviewed by an independent security
consulting firm. This is available upon request, subject to an NDA.
Data privacy and security by design on the WhatsApp Business Platform 9
Compliance and security standards

Security questionnaire GDPR

We have completed the Cloud Security Alliance Meta takes data protection and people’s privacy
Consensus Assessments Initiative Questionnaire, very seriously and we are committed to continuing
which is available upon request, subject to an NDA. to comply with data protection laws. The Cloud
It offers an industry-accepted way to document API allows our customers to continue to meet
what security controls exist in the Cloud API their obligations under General Data Protection
providing security control transparency. It provides Regulation (GDPR). Meta complies with applicable
a set of questions that the Cloud Security Alliance legal, industry and regulatory requirements, as
anticipates a cloud consumer or auditor would well as industry best practices. See more.
ask a cloud provider. We document WhatsApp’s
answers to the questionnaire, which should provide
a basis for security, control and process review.