Trust center
Security & trust at InfiQ
Businesses route real revenue through this platform, so security is treated as part of the product — not a page. Here is exactly how InfiQ protects your data, controls access and stays inside Meta's official WhatsApp infrastructure.
Data protection
Encrypted in transit and at rest
Your messages and contact records are encrypted on the wire and on disk, and we keep only what running your messaging needs.
Encryption in transit
Every request to InfiQ travels over TLS 1.2 or higher. Messages, contact records and media are encrypted on the wire between your browser, our API and Meta's WhatsApp Cloud API.
Encryption at rest
Stored data — message content, contact lists, template history and media — is encrypted at rest with AES-256, so a copy of the disk is not a copy of your data.
Data minimisation
We collect and retain what running your messaging needs, and no more. Retention follows your plan and instructions rather than living indefinitely on employees' phones.
Access control
Least privilege, everywhere
Scoped keys, rotation, network restrictions and role-based access mean each person and integration can do exactly what it should — and nothing more.
Scoped API keys
Each key is limited to exactly the scopes an integration needs — read, send, admin — so a leaked key can never do more than its purpose.
Key rotation
Rotate keys without downtime. Issue a replacement, migrate traffic, then revoke the old key — no window where your integrations go dark.
IP allowlists
Restrict API access to known networks, so calls to your account are rejected at the edge unless they originate from an address you trust.
Role-based access
Team members get roles that fit their job. In the shared inbox, per-agent scopes mean each person sees only the conversations they need to.
2FA on the WhatsApp Business Account
Two-step verification on your WhatsApp Business Account adds a PIN barrier to number registration and account changes.
Least privilege by default
New keys and new members start narrow. Access is granted deliberately and logged, not handed out broadly and trimmed later.
Auditability
Logs you can prove weren't edited
Every administrative action, template change, data export and key event lands in an audit log — and each entry is hash-chained to the one before it. Tamper with a record and the chain breaks, so the history is tamper-evident, not merely tamper-discouraged.
When a customer complaint, a regulator's question or an internal review lands, you can answer “who did what, when” precisely — and export the evidence without engineering help. The same audit trail powers the developer platform's request logs.
- What is logged
- Sends, edits, exports, key issuance and rotation, member and role changes, and template submissions.
- How it is protected
- Each entry is hash-chained to its predecessor, so any alteration is detectable after the fact.
- Who can read it
- Admins with the audit scope, in the dashboard and via the API — and it is exportable for reviews.
Platform & Meta compliance
Official infrastructure, official rules
InfiQ runs on the official WhatsApp Business API as a Meta Business Partner, and Meta's platform policy is enforced inside the product.
Official WhatsApp Business API
InfiQ is a Meta Business Partner with direct access to the WhatsApp Cloud API — no unofficial gateways or grey-market tools between your messages and the network.
Meta platform policy adherence
Template review, commerce policy checks and opt-in management are built into the product, so staying inside WhatsApp's rules is the default path, not an afterthought.
Quality and account protection
Because you run on official infrastructure, there is no risk of a number ban for using unauthorised software — and clear guidance keeps quality ratings and messaging limits healthy.
Privacy & regulatory alignment
Aligned with DPDP and GDPR principles
Our practices are aligned with the principles of India's Digital Personal Data Protection (DPDP) Act and the GDPR: purpose limitation, data minimisation, deletion on request, and no resale of customer data. Your contact data is yours — you can export or delete it, and we never sell it.
This is alignment with well-established principles, not a claim of formal certification.
| Principle | How InfiQ applies it |
|---|---|
| Purpose limitation | Data is used to run your messaging, not repurposed or resold. |
| Data minimisation | We collect and retain what is needed, for as long as your plan defines. |
| Right to deletion | Export or delete your contact data on request. |
| Security of processing | Encryption in transit and at rest, scoped access and audit logs. |
| Consent & opt-out | Opt-in records and platform-level opt-out enforcement are built in. |
Responsible disclosure
Found something? Tell us first
We welcome good-faith security research. Report privately, give us time to fix, and we won't come after you.
Read the policy
Our security contact and policy are published at /.well-known/security.txt per RFC 9116, so researchers can find the right channel without guessing.
Report privately
Email support@infiq.in with steps to reproduce, affected endpoints and any proof of concept. Please give us reasonable time to investigate before public disclosure.
Act in good faith
Avoid privacy violations, data destruction and service disruption. Testing that respects those limits is welcome; we will not pursue good-faith research.
Report vulnerabilities to support@infiq.in or start from our published security.txt (RFC 9116).
Certifications & roadmap
What we claim, and what's ahead
We will only ever tell you about controls that genuinely exist. Today that means encryption in transit and at rest, scoped and rotatable API keys, IP allowlists, role-based access, tamper-evident hash-chained audit logs, and practices aligned with the DPDP Act and GDPR principles.
Formal certifications such as ISO 27001 and SOC 2 are being evaluated as the platform matures. We do not hold them today, and we will not imply otherwise. When any certification is achieved, it will be stated here plainly.
Honest by default. No badge on this page represents a certification InfiQ does not currently hold. Read more about how we operate on our about page.
FAQ
Security questions, answered
Where is InfiQ data stored?
InfiQ runs cloud-native infrastructure with data encrypted in transit (TLS 1.2+) and at rest (AES-256). Retention follows your plan and instructions, and your contact data is exportable and deletable on request. For specific data-residency requirements, contact us before onboarding at support@infiq.in.
Is InfiQ an official WhatsApp provider?
Yes. InfiQ is a Meta Business Partner with direct access to the official WhatsApp Business API (WhatsApp Cloud API). Your account runs on official infrastructure — there are no unofficial gateways and no risk of a ban for using unauthorised tools.
How do I report a security vulnerability?
Email support@infiq.in with steps to reproduce and affected endpoints, or start from our published /.well-known/security.txt. Please report privately and give us reasonable time to investigate before any public disclosure. We do not pursue good-faith researchers.
Does InfiQ hold ISO 27001 or SOC 2 certification?
Not today. We build to those principles — encryption, scoped access, tamper-evident audit logs and least privilege — and formal certifications such as ISO 27001 and SOC 2 are being evaluated as the platform matures. We will state clearly when any certification is achieved, and never claim one we do not hold.
Is InfiQ aligned with the DPDP Act and GDPR?
Our practices are aligned with the principles of India's DPDP Act and the GDPR: purpose limitation, data minimisation, deletion on request and no resale of customer data. See our compliance hub and privacy policy for detail. This is alignment with principles, not a claim of formal certification.
Security you can verify, not just trust.
Encryption, scoped access and tamper-evident audit logs ship with every InfiQ plan — start a 7-day free trial, no card required.
