This document overviews the WhatsApp Business API architecture and security features.
Unlike traditional REST APIs, the WhatsApp Business API requires installing and managing a WhatsApp Business API Client. As an official WhatsApp Business Solutions Provider, Verloop.io installs, hosts, and maintains the WhatsApp Business API Client on behalf of its clients.
The WhatsApp Business API Client communicates with WhatsApp servers in an end-to-end-encrypted manner, and Verloop.io’s API endpoints integrate with this system. The WhatsApp Business API Client comprises a set of Docker containers, a database, and media volumes, as depicted in the image below:
A WhatsApp Business API Client comprises the following factors:
WebApp node: handles the authentication and authorization of WhatsApp Business API users and accepts incoming REST API calls from clients’ business systems, forwarding them to the
CoreApp node(s): receive REST API calls from the WebApp node and send messages to the WhatsApp server. After receiving messages from the WhatsApp server, CoreApp node(s) send messages to the client’s webhook server, including the incoming payload from WhatsApp servers. They also download and save media to the media volume.
Database: stores data for the WhatsApp Business API client, including messages, contacts, configurations, and more.
Media volume: stores uploaded media files used for outgoing media messages/media message templates and media files from incoming media messages.
Webhook server: receives incoming HTTP messages from the CoreApp nodes
After a successful setup, clients receive an API key and can start integrating with the WhatsApp Business API through common REST APIs via HTTPS and receiving incoming messages using webhooks.
How It Works
Messages are encrypted between the WhatsApp app on a user’s smartphone through the WhatsApp infrastructure/data centres until they reach our hosted Docker containers (described above). Decryption takes place only within these containers. The Docker containers are installed in a redundant and multi-connect environment. After sending, the messages are processed to the WhatsApp Business container, where they are encrypted and dispatched into the WhatsApp infrastructure and finally pushed to the targeted device, where they are decrypted. Only one instance of the WhatsApp Business API Client can run for a single phone number at anytime.
When using the WhatsApp Business API, we maintain administrative, physical, and technical safeguards that meet or exceed industry standards, comply with applicable laws (including data security and privacy laws, rules, and regulations), and prevent any unauthorized access, use, processing, storage, destruction, loss, alteration, or disclosure of User Data. We use safety features provided by WhatsApp, such as passwords and authentication, SSL configuration, network segregation, message encryption, and more.
Verloop.io acts as a data processor on behalf of its Integration Partners and the Integration Partner on behalf of the businesses using the WhatsApp Business API. We process data to and from the WhatsApp Business Solution only according to the instructions of businesses communicated through WhatsApp API or by their Integration Partner.
By using Verloop.io’s services, both parties commit to their compliance with all applicable privacy laws and regulations. Integration Partners must sign a Data Processing Agreement that outlines the specifics before using the API.
The General Data Protection Regulation (GDPR) creates consistent data protection rules across Europe. It applies to companies (regardless of where they are based) that process personal data about individuals in the EU. we ensure compliance with GDPR regulations for businesses using the WhatsApp Business API.
We offer a secure and comprehensive WhatsApp Business API solution that includes installing, hosting, and maintaining the WhatsApp Business API Client. The API integrates seamlessly with businesses’ systems and ensures compliance with applicable privacy laws and regulations.
Please contact us at firstname.lastname@example.org for any specific inquiries regarding our Data Processing Policies or GDPR.