Skip to content

Trust center

Security & trust at InfiQ

Businesses route real revenue through this platform, so security is treated as part of the product — not a page. Here is exactly how InfiQ protects your data, controls access and stays inside Meta's official WhatsApp infrastructure.

TLS 1.2+ / AES-256Tamper-evident audit logsOfficial WhatsApp Business API

Data protection

Encrypted in transit and at rest

Your messages and contact records are encrypted on the wire and on disk, and we keep only what running your messaging needs.

Encryption in transit

Every request to InfiQ travels over TLS 1.2 or higher. Messages, contact records and media are encrypted on the wire between your browser, our API and Meta's WhatsApp Cloud API.

Encryption at rest

Stored data — message content, contact lists, template history and media — is encrypted at rest with AES-256, so a copy of the disk is not a copy of your data.

Data minimisation

We collect and retain what running your messaging needs, and no more. Retention follows your plan and instructions rather than living indefinitely on employees' phones.

Access control

Least privilege, everywhere

Scoped keys, rotation, network restrictions and role-based access mean each person and integration can do exactly what it should — and nothing more.

Scoped API keys

Each key is limited to exactly the scopes an integration needs — read, send, admin — so a leaked key can never do more than its purpose.

Key rotation

Rotate keys without downtime. Issue a replacement, migrate traffic, then revoke the old key — no window where your integrations go dark.

IP allowlists

Restrict API access to known networks, so calls to your account are rejected at the edge unless they originate from an address you trust.

Role-based access

Team members get roles that fit their job. In the shared inbox, per-agent scopes mean each person sees only the conversations they need to.

2FA on the WhatsApp Business Account

Two-step verification on your WhatsApp Business Account adds a PIN barrier to number registration and account changes.

Least privilege by default

New keys and new members start narrow. Access is granted deliberately and logged, not handed out broadly and trimmed later.

Auditability

Logs you can prove weren't edited

Every administrative action, template change, data export and key event lands in an audit log — and each entry is hash-chained to the one before it. Tamper with a record and the chain breaks, so the history is tamper-evident, not merely tamper-discouraged.

When a customer complaint, a regulator's question or an internal review lands, you can answer “who did what, when” precisely — and export the evidence without engineering help. The same audit trail powers the developer platform's request logs.

What is logged
Sends, edits, exports, key issuance and rotation, member and role changes, and template submissions.
How it is protected
Each entry is hash-chained to its predecessor, so any alteration is detectable after the fact.
Who can read it
Admins with the audit scope, in the dashboard and via the API — and it is exportable for reviews.

Platform & Meta compliance

Official infrastructure, official rules

InfiQ runs on the official WhatsApp Business API as a Meta Business Partner, and Meta's platform policy is enforced inside the product.

Official WhatsApp Business API

InfiQ is a Meta Business Partner with direct access to the WhatsApp Cloud API — no unofficial gateways or grey-market tools between your messages and the network.

Meta platform policy adherence

Template review, commerce policy checks and opt-in management are built into the product, so staying inside WhatsApp's rules is the default path, not an afterthought.

Quality and account protection

Because you run on official infrastructure, there is no risk of a number ban for using unauthorised software — and clear guidance keeps quality ratings and messaging limits healthy.

Privacy & regulatory alignment

Aligned with DPDP and GDPR principles

Our practices are aligned with the principles of India's Digital Personal Data Protection (DPDP) Act and the GDPR: purpose limitation, data minimisation, deletion on request, and no resale of customer data. Your contact data is yours — you can export or delete it, and we never sell it.

This is alignment with well-established principles, not a claim of formal certification.

PrincipleHow InfiQ applies it
Purpose limitationData is used to run your messaging, not repurposed or resold.
Data minimisationWe collect and retain what is needed, for as long as your plan defines.
Right to deletionExport or delete your contact data on request.
Security of processingEncryption in transit and at rest, scoped access and audit logs.
Consent & opt-outOpt-in records and platform-level opt-out enforcement are built in.

Responsible disclosure

Found something? Tell us first

We welcome good-faith security research. Report privately, give us time to fix, and we won't come after you.

Read the policy

Our security contact and policy are published at /.well-known/security.txt per RFC 9116, so researchers can find the right channel without guessing.

Report privately

Email support@infiq.in with steps to reproduce, affected endpoints and any proof of concept. Please give us reasonable time to investigate before public disclosure.

Act in good faith

Avoid privacy violations, data destruction and service disruption. Testing that respects those limits is welcome; we will not pursue good-faith research.

Report vulnerabilities to support@infiq.in or start from our published security.txt (RFC 9116).

Certifications & roadmap

What we claim, and what's ahead

We will only ever tell you about controls that genuinely exist. Today that means encryption in transit and at rest, scoped and rotatable API keys, IP allowlists, role-based access, tamper-evident hash-chained audit logs, and practices aligned with the DPDP Act and GDPR principles.

Formal certifications such as ISO 27001 and SOC 2 are being evaluated as the platform matures. We do not hold them today, and we will not imply otherwise. When any certification is achieved, it will be stated here plainly.

Honest by default. No badge on this page represents a certification InfiQ does not currently hold. Read more about how we operate on our about page.

FAQ

Security questions, answered

Where is InfiQ data stored?

InfiQ runs cloud-native infrastructure with data encrypted in transit (TLS 1.2+) and at rest (AES-256). Retention follows your plan and instructions, and your contact data is exportable and deletable on request. For specific data-residency requirements, contact us before onboarding at support@infiq.in.

Is InfiQ an official WhatsApp provider?

Yes. InfiQ is a Meta Business Partner with direct access to the official WhatsApp Business API (WhatsApp Cloud API). Your account runs on official infrastructure — there are no unofficial gateways and no risk of a ban for using unauthorised tools.

How do I report a security vulnerability?

Email support@infiq.in with steps to reproduce and affected endpoints, or start from our published /.well-known/security.txt. Please report privately and give us reasonable time to investigate before any public disclosure. We do not pursue good-faith researchers.

Does InfiQ hold ISO 27001 or SOC 2 certification?

Not today. We build to those principles — encryption, scoped access, tamper-evident audit logs and least privilege — and formal certifications such as ISO 27001 and SOC 2 are being evaluated as the platform matures. We will state clearly when any certification is achieved, and never claim one we do not hold.

Is InfiQ aligned with the DPDP Act and GDPR?

Our practices are aligned with the principles of India's DPDP Act and the GDPR: purpose limitation, data minimisation, deletion on request and no resale of customer data. See our compliance hub and privacy policy for detail. This is alignment with principles, not a claim of formal certification.

Talk to InfiQ

See what WhatsApp can do for your business

Tell us your volume — we map templates, estimate cost, and get you a sandbox in about 2 hours.

Step 1 of 2
WhatsApp

Protected by invisible spam checks · replies within 1 working day

Meta Business Partner

Security you can verify, not just trust.

Encryption, scoped access and tamper-evident audit logs ship with every InfiQ plan — start a 7-day free trial, no card required.

7-day free trial Enterprise-grade reliability Live in 2 hours Built for Indian businesses