Security & Compliance
Comprehensive security and compliance information for AmanahAgent WhatsApp Business API, including data protection, encryption, and regulatory compliance.
Security Overview
Security is fundamental to AmanahAgent's platform. We implement industry-leading security practices to protect your data, ensure message privacy, and maintain compliance with international regulations.
End-to-End Encryption
All messages are encrypted in transit and at rest using AES-256 encryption
SOC 2 Type II
Independently audited and certified for security, availability, and confidentiality
GDPR Compliant
Full compliance with EU General Data Protection Regulation requirements
Data Encryption and Protection
Encryption Standards
Data in Transit
- TLS 1.3 encryption for all API communications
- Perfect Forward Secrecy (PFS)
- Certificate pinning for mobile applications
- HSTS (HTTP Strict Transport Security)
Data at Rest
- AES-256 encryption for all stored data
- Encrypted database backups
- Hardware Security Modules (HSM) for key management
- Regular key rotation policies
Message Privacy
Important: AmanahAgent implements end-to-end encryption for WhatsApp messages. We cannot read the content of your messages - only you and your recipients can.
End-to-End Encryption
Messages are encrypted on the sender's device and can only be decrypted by the recipient
Zero-Access Architecture
AmanahAgent cannot access message content, ensuring complete privacy
Metadata Protection
Minimal metadata collection with automatic purging policies
Data Retention and Deletion
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Message Content | Not stored (end-to-end encrypted) | N/A - Never stored |
| Message Metadata | 30 days | Secure deletion with overwrite |
| API Logs | 90 days | Secure deletion with overwrite |
| Account Data | Until account closure + 30 days | Complete data purge |
| Backup Data | 90 days (encrypted) | Cryptographic erasure |
Compliance and Certifications
GDPR Compliance
AmanahAgent is fully compliant with the EU General Data Protection Regulation (GDPR), ensuring the protection of personal data for all EU citizens.
Data Subject Rights
- Right to access personal data
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to data portability
- Right to restrict processing
- Right to object to processing
GDPR Implementation
- Data Protection Officer (DPO) appointed
- Privacy by Design and by Default
- Data Protection Impact Assessments (DPIA)
- Breach notification within 72 hours
- Regular compliance audits
- Staff training on data protection
HIPAA Compliance
For healthcare customers in the United States, AmanahAgent offers HIPAA-compliant messaging solutions with Business Associate Agreements (BAA) available.
HIPAA Features: Available on Enterprise plans with signed Business Associate Agreement (BAA)
Technical Safeguards
- Access controls and authentication
- Audit logs and monitoring
- Data encryption and integrity
- Secure transmission protocols
Administrative Safeguards
- HIPAA training for all staff
- Incident response procedures
- Risk assessment and management
- Business Associate Agreements
SOC 2 Type II Certification
AmanahAgent undergoes regular SOC 2 Type II audits by independent third-party auditors to ensure the highest standards of security, availability, and confidentiality.
Trust Service Criteria
- Security: Protection against unauthorized access
- Availability: System operational availability
- Processing Integrity: Complete and accurate processing
- Confidentiality: Protection of confidential information
- Privacy: Collection, use, and disposal of personal information
Audit Coverage
- Infrastructure and system operations
- Software development lifecycle
- Data center security and access controls
- Incident response and monitoring
- Vendor management and due diligence
Additional Compliance Standards
ISO 27001
International standard for information security management systems
PIPEDA
Personal Information Protection and Electronic Documents Act (Canada)
Privacy Act
Australian Privacy Principles compliance
Security Best Practices
API Key Management
✅ Best Practices
- Store API keys in environment variables
- Use different keys for different environments
- Rotate API keys regularly (every 90 days)
- Implement key-specific rate limiting
- Monitor API key usage patterns
- Revoke unused or compromised keys immediately
❌ Avoid These Practices
- Hardcoding API keys in source code
- Sharing API keys via email or chat
- Using the same key across multiple applications
- Storing keys in version control systems
- Using keys without proper access controls
- Ignoring key rotation schedules
Secure Implementation
Environment Variables Example
# .env file (never commit to version control)
AMANAHAGENT_API_KEY=your_secure_api_key_here
AMANAHAGENT_WEBHOOK_SECRET=your_webhook_secret_here
# Use in your application
const client = new AmanahAgent({
apiKey: process.env.AMANAHAGENT_API_KEY
});Secure Headers Implementation
// Node.js/Express example
const helmet = require('helmet');
const rateLimit = require('express-rate-limit');
// Security headers
app.use(helmet());
// Rate limiting
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100 // limit each IP to 100 requests per windowMs
});
app.use('/api/', limiter);
// API endpoint with authentication
app.post('/api/send-message', authenticateUser, (req, res) => {
// Your secure message sending logic here
});Network Security
TLS Configuration
- Use TLS 1.3 or TLS 1.2 minimum
- Implement proper certificate validation
- Use HSTS headers for web applications
- Implement certificate pinning where possible
IP Whitelisting
- Restrict API access to known IP ranges
- Use VPN or private networks for sensitive operations
- Implement geolocation-based access controls
- Monitor and log access from new IP addresses
Audit Logs and Monitoring
Comprehensive Logging
AmanahAgent maintains detailed audit logs of all API activities, user actions, and system events to ensure transparency and enable security monitoring.
| Event Type | Information Logged | Retention |
|---|---|---|
| API Requests | Timestamp, IP address, endpoint, response code | 90 days |
| Authentication | Login attempts, API key usage, failures | 1 year |
| Account Changes | Profile updates, permission changes, deletions | 2 years |
| Security Events | Failed authentications, suspicious activities | 2 years |
Real-time Monitoring
Automated Alerts
- Suspicious API usage patterns
- Multiple failed authentication attempts
- Unusual geographic access patterns
- Rate limit violations
- Potential security breaches
Monitoring Dashboard
- Real-time API usage statistics
- Security event timeline
- Access pattern visualization
- Performance metrics
- Compliance status indicators
Audit Log API
Access your audit logs programmatically through our dedicated API endpoint for security monitoring and compliance reporting.
GET https://api.amanahagent.cloud/v1/audit-logs
Query Parameters:
- start_date: ISO 8601 date (required)
- end_date: ISO 8601 date (required)
- event_type: api_request, authentication, account_change, security_event
- limit: Number of results (max 1000)
- offset: Pagination offset
Example Response:
{
"logs": [
{
"id": "log_abc123",
"timestamp": "2024-01-15T10:30:00Z",
"event_type": "api_request",
"ip_address": "192.168.1.100",
"endpoint": "/v1/messages",
"method": "POST",
"response_code": 200,
"user_agent": "AmanahAgent SDK v2.1.0"
}
],
"pagination": {
"total": 1250,
"limit": 50,
"offset": 0
}
}Vulnerability Management
Security Testing
Continuous Testing
- Daily automated vulnerability scans
- Dependency vulnerability monitoring
- Code security analysis (SAST)
- Dynamic application security testing (DAST)
- Infrastructure penetration testing
External Audits
- Annual third-party security assessments
- Penetration testing by certified professionals
- Bug bounty program with security researchers
- SOC 2 Type II compliance audits
- ISO 27001 certification audits
Incident Response
Security Incident Reporting: If you discover a security vulnerability, please contact us immediately at security@amanahagent.cloud
Response Timeline
Responsible Disclosure
We maintain a responsible disclosure policy for security researchers and the broader security community.
Bug Bounty Program
- Rewards for qualifying security vulnerabilities
- Clear scope and submission guidelines
- Fair evaluation and response process
- Public acknowledgment for researchers
Disclosure Process
- Private reporting channel for vulnerabilities
- 90-day coordinated disclosure timeline
- Regular updates during investigation
- Public security advisories when appropriate
Security Contact and Resources
🔒 Security Team
Email: security@amanahagent.cloud
PGP Key: Download Public Key
Response Time: Within 1 hour for critical issues