Data Security Policy
Data Security Policy
Last updated: 2026-07-11
This data security policy applies to the website, products and services offered under the brand WAAPI, operated by WAAPI (“we”, “us”, “our”). By accessing or using our services you agree to this data security policy. If you do not agree, please discontinue use of the services.
1. Our commitment
Protecting customer data is core to the platform. We apply industry-standard technical and organisational measures appropriate to the risk, consistent with the IT Act, 2000 (including the SPDI Rules), the DPDP Act, 2023, and — where applicable — GDPR Article 32.
2. Technical measures
- Encryption in transit (HTTPS/TLS) across all public endpoints.
- Encryption or hashing of sensitive values at rest (passwords are salted-hashed; API tokens and secrets are stored encrypted).
- Strict tenant isolation — every record is scoped to your account and enforced server-side on every request.
- Role-based access control (RBAC) for panel users and API keys with scoped permissions.
- Audit logging of administrative and security-relevant actions.
- Webhook signature verification and rate limiting on public endpoints.
3. Organisational measures
Access to production systems is restricted to authorised personnel on a need-to-know basis. Backups are taken regularly and tested. Vendors and processors are assessed and bound by data-protection terms.
4. Incident response
Suspected security incidents are triaged immediately. Where an incident materially affects your data we will notify you and, where legally required, the relevant authority (including CERT-In reporting obligations in India) without undue delay.
5. Your responsibilities
Use strong, unique passwords, enable available two-factor authentication, protect your API keys, and control your team members’ permissions. Report suspected compromise to us immediately.
Governing law & jurisdiction
This document is governed by the laws of India. For operators in India this includes the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Consumer Protection Act, 2019. Where we serve customers in other jurisdictions, we honour applicable local requirements including the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) to the extent they apply. Courts at our registered place of business have exclusive jurisdiction, subject to any non-waivable consumer rights in your country of residence.
Contact us
WAAPI is operated by WAAPI. For any questions about this document, contact us:
- Email: support@thewaapi.com