Security
May 27, 2026
1. Our security posture
The security of our customers' data is a core responsibility at Oryn Labs LLC. We take a defense-in-depth approach: multiple layers of technical, organizational, and process controls to protect the Wazap platform.
2. Infrastructure and technical controls
- Encryption in transit: all communication uses TLS 1.2+ with automatically managed certificates.
- Encryption at rest: PostgreSQL database with disk encryption enabled at the cloud provider level.
- Authentication: passwords stored with bcrypt (cost factor ≥ 12). Session tokens generated with cryptographic entropy.
- Access control: RBAC (role-based access control) multi-tenant model — each company's data is isolated by tenant context.
- Protection against common attacks: IP-based rate limiting, CSRF protection, input sanitization via VineJS, HTTP security headers.
- Monitoring: access logs, anomaly detection, and real-time alerts for suspicious activity.
3. Meta (WhatsApp) integration
The platform consumes Meta's WhatsApp Cloud API. Access tokens are stored encrypted and never exposed on the frontend. Webhooks are verified via HMAC-SHA256 signature before processing.
4. Responsible disclosure
If you discover a security vulnerability in Wazap, we ask that you follow responsible disclosure practices:
- Do not exploit the vulnerability beyond what is necessary to demonstrate its existence.
- Do not access, modify, or delete other users' data.
- Do not perform denial-of-service attacks (DoS/DDoS).
- Report immediately by email before any public disclosure.
We respond to all reports within 48 hours and work to fix valid vulnerabilities as quickly as possible. Researchers acting in good faith will receive public credit (if desired).
5. Report a vulnerability
Send your report confidentially to:
[email protected]
Include a detailed description, steps to reproduce, estimated impact, and a proof of concept if possible.
6. General security contact
For security matters that are not vulnerabilities (e.g., compliance questions, unauthorized account access):
[email protected]