WABA
This document explains the WhatsApp Business API Architecture and Security
Architecture
Unlike typical REST APIs, the WhatsApp (WA) Business API requires the WhatsApp Business API Client to be installed and managed. As an official WhatsApp Business Solutions Provider - we (the Business Solutions Provider) will do this installation, hosting and maintenance for you.
When it is up and running, the WhatsApp Business API client can communicate with WA servers in an end-to-end-encrypted manner and you integrate with this system using our API endpoints.
The WhatsApp Business API Client consists of a set of Docker containers, as well as database and media volumes as shown in the following image.
Components
A WhatsApp Business API Client consists of the following components shown in the preceding image.
WebApp node
Handles authentication and authorization of WhatsApp Business API users Accepts incoming Rest API calls from your business systems and forwards them to the CoreApp node(s)
CoreApp node(s)
- Receives Rest API calls from the WebApp node, and sends resulting messages to the WhatsApp server.
- After receiving messages from the WhatsApp server, sends messages to your Webhook server that include the incoming payload from the WhatsApp servers.
- Downloads and saves media to the media volume
Database
Stores data for the WhatsApp Business API client, including messages, contacts, configurations etc.
Media volume
Stores uploaded media files used for outgoing media messages / media message templates, as well as the media files from incoming media messages
WebHook server
- Receives incoming HTTP messages from the CoreApp nodes
How it works
Messages are encrypted between the WhatsApp app on a user’s smartphone through the WhatsApp infrastructure / data centers until it reaches our hosted Docker containers (described above). Only in these containers the decryption takes place. The Docker containers are installed in a redundant and multi-connect environment.
After sending, the messages are processed to the WhatsApp Business container where they are encrypted and dispatched into the WhatsApp infrastructure and finally pushed to the targeted device, where it is decrypted.
At any given time, you can only have one instance of the WhatsApp Business API Client running for a single phone number.
Security
When using the WhatsApp Business API, we will always have in effect and maintain administrative, physical and technical safeguards that: (a) meet or exceed industry standards, (b) are compliant with applicable Laws (including data security and privacy laws, rules and regulations), and (c) are designed to prevent any unauthorized access, use, processing, storage, destruction, loss, alteration or disclosure of User Data.
We make use of the below Safety features as provided by WhatsApp.
Passwords and Authentication
All requests to the WhatsApp API must be authorized with an API-KEY. Please refer to the API documentation for more information about this topic.
SSL Configuration
Access to the WhatsApp Business API client requires HTTPS. The WhatsApp Business API Client generates a self-signed certificate by default when it is created. As Webhooks also requires HTTPS for callbacks.
Network Segregation
We host the Webapp and Coreapp nodes in separate, segregated networks, and expose them only to required services.
Message Encryption
See our WhatsApp Encryption Overview technical whitepaper for more detail.
Data Processing
We act as a data processor on behalf of our Integration Partners, and the Integration Partner on behalf of the Businesses' using the WhatsApp Business API. We will only process data to and from the WhatsApp Business Solution according to the instructions of Businesses as communicated through WhatsApp API or by their Integration Partner. By using our services, both Parties commit to their compliance with all applicable privacy laws and regulations.
Integration Partners must sign a Data Processing Agreement which outlines the specifics prior to using our API.
GDPR
The General Data Protection Regulation (GDPR) creates consistent data protection rules across Europe. It applies to companies (regardless of where they are based) who process personal data about individuals in the EU.
Developer Documentation
WhatsApp Business Platform - Documentation - Meta For Developers