Built Secure.

• Hosting: all GlobVoice application servers, databases (PostgreSQL 16), queues (Redis 7) and object storage are hosted on Hetzner Online GmbH, a Tier III certified European cloud and dedicated-server provider.
• Data residency: primary data centres are located in Germany (Falkenstein and Nuremberg) within the European Union, with EU data-protection standards applying to physical and operational security.
• Certifications: Hetzner is ISO 27001 certified and operates under the GDPR.
• Backups: encrypted database snapshots are taken automatically and retained for up to 35 days; backup storage is segregated from the live database.
• Patching: base operating systems and runtime dependencies are kept current via routine security updates; critical CVEs are patched on an emergency basis.

2.1 At rest

• AES-256-GCM authenticated encryption is applied to all sensitive credentials and secrets stored in our application database, including Meta access tokens, two-factor authentication (TOTP) secrets, and other vault-protected fields.
• Key derivation: the master encryption key is derived from a high-entropy MASTER_KEK using the scrypt key-derivation function with a versioned salt, providing protection against rainbow-table and brute-force attacks even if the database were compromised in isolation.
• Triple-field storage: each encrypted field is stored as three components - ciphertext, 12-byte initialization vector and 16-byte authentication tag - to detect tampering and to allow for safe key rotation in future.
• Disk encryption: Hetzner-managed volumes hosting our database are protected at the storage layer with full-disk encryption.

2.2 In transit

• All traffic between you and GlobVoice is served exclusively over HTTPS with TLS 1.3 using modern cipher suites.
• Internal communication between application servers, the database, the queue and the worker uses TLS or is bound to a private network within the data centre.
• We enforce Strict-Transport-Security, modern cookie attributes (HttpOnly, Secure, SameSite=Lax) and modern security headers.

• Passkeys / WebAuthn: the primary GlobVoice authentication mechanism is FIDO2/WebAuthn passkeys, which are resistant to phishing, replay and credential stuffing attacks. Your private key never leaves your device.
• Google OAuth: federated sign-in via Google is supported. Authentication is delegated to Google; no Google account password is ever sent to or stored by GlobVoice.
• No password storage: we do not implement a traditional password flow and do not store any user passwords, hashed or otherwise.
• Sessions: server-side sessions are bound to a short-lived HttpOnly + Secure + SameSite=Lax cookie. Sessions can be revoked instantly from the dashboard.
• Two-factor authentication: TOTP-based 2FA secrets are encrypted using the AES-256-GCM vault described in Section 2.

Each Customer's Meta WhatsApp Business Account is accessed using an access token. These tokens are highly sensitive - they grant the holder the ability to send messages on the Customer's behalf - and we treat them accordingly:

• Encryption: Meta access tokens are encrypted with AES-256-GCM at the moment of receipt and stored only in encrypted form (metaAccessTokenEnc + IV + auth tag).
• Key derivation: the encryption key is derived from MASTER_KEK using scrypt with a versioned salt, isolating compromise of the database from compromise of the decryption key.
• Just-in-time decryption: tokens are decrypted only inside the worker process at the moment a message is being dispatched to Meta; plaintext is never written to disk or logs.
• Rotation: tokens can be rotated by re-connecting your WABA from the dashboard; we encourage rotation if a token is suspected to be compromised.

• API keys: programmatic API keys are issued per workspace. Only a SHA-256 hash of each key is stored in our database; the raw key is shown to you once at creation time and cannot be recovered if lost.
• Rate limiting: all API endpoints are subject to per-tenant, per-IP and per-key rate limits enforced in the edge layer. Abusive clients are throttled and, where necessary, blocked.
• Quota enforcement: outbound sends are gated by atomic Redis-Lua quota counters per sender, per second and per day. Quota cannot be bypassed by parallel clients.
• Webhook signature verification: incoming webhooks from Meta are validated using HMAC-SHA256 over the raw request body before any business logic runs. Outgoing webhooks to Customer-configured destinations are signed using a shared secret so Customers can verify authenticity on their side.
• Idempotency: message sends accept an idempotency key; replays are deduplicated in Redis to prevent accidental double-charging by either GlobVoice or Meta.
• Tenant isolation: the application database enforces Postgres row-level security policies based on a per-request tenant identifier carried in the connection's local settings, so a misconfigured application query cannot return another tenant's data.

• Reverse proxy: all public traffic terminates at an nginx reverse proxy that applies TLS termination, request-size limits, basic anti-abuse rules and security headers before traffic reaches the application.
• Same-domain cookies: session and CSRF cookies are scoped to the application domain only, with SameSite=Lax to mitigate CSRF in cross-site navigation flows.
• CSRF protection: state-changing endpoints require a server-issued CSRF token and validate the origin header.
• CORS: the API enforces a strict allow-list of origins.
• Firewall: Hetzner network ACLs restrict database and Redis ports to internal traffic only.

GlobVoice is built on the official Meta Cloud API for WhatsApp Business. We are not a grey-market unofficial scraper, browser-automation provider or modded-client reseller, and we do not provide access through unauthorised channels.

Customers therefore benefit from official Meta protections:

• Genuine WhatsApp Business Account, no risk of unilateral phone bans for using unofficial software.
• Verified green-tick eligibility for qualifying businesses, subject to Meta's approval.
• Native end-to-end transport security between sender, Meta and recipient.
• Official template-approval flow and conversation-based pricing.

• Information Technology Act, 2000 - including the “reasonable security practices and procedures” required under Section 43A and the Sensitive Personal Data or Information Rules, 2011.
• Digital Personal Data Protection Act, 2023 - see our DPDP Compliance Notice.
• GDPR awareness - our hosting provider is GDPR compliant, our processing agreements include EU Standard Contractual Clauses where required, and we adopt GDPR-equivalent practices for security and breach handling.
• Meta Platform Terms & WhatsApp Business Messaging Policy - GlobVoice operates as an authorised tech provider and complies with Meta's policies for the WhatsApp Business Cloud API.
• PCI DSS scope reduction: we do not store cardholder data. All payments are tokenised through Razorpay, which is PCI DSS compliant.

If you believe you have found a security vulnerability in GlobVoice, we want to hear from you. We pledge to investigate promptly, to keep you informed of progress, and not to pursue legal action against researchers who:

• act in good faith and avoid privacy violations, destruction of data and interruption or degradation of the Service;
• do not exploit a vulnerability beyond what is strictly necessary to demonstrate it;
• give us reasonable time to remediate before public disclosure;
• do not attempt social engineering, denial-of-service or physical attacks against our staff or infrastructure.

Please report vulnerabilities to security@globvoice.com. Include a clear technical description, steps to reproduce, the potential impact and any proof-of-concept material. We acknowledge reports within 3 business days. Critical-severity issues are typically remediated within 7 days.