Data Security Policy

Data Security Policy

Last updated: 2026-07-11

This data security policy applies to the website, products and services offered under the brand WAAPI, operated by WAAPI (“we”, “us”, “our”). By accessing or using our services you agree to this data security policy. If you do not agree, please discontinue use of the services.

1. Our commitment

Protecting customer data is core to the platform. We apply industry-standard technical and organisational measures appropriate to the risk, consistent with the IT Act, 2000 (including the SPDI Rules), the DPDP Act, 2023, and — where applicable — GDPR Article 32.

2. Technical measures

  • Encryption in transit (HTTPS/TLS) across all public endpoints.
  • Encryption or hashing of sensitive values at rest (passwords are salted-hashed; API tokens and secrets are stored encrypted).
  • Strict tenant isolation — every record is scoped to your account and enforced server-side on every request.
  • Role-based access control (RBAC) for panel users and API keys with scoped permissions.
  • Audit logging of administrative and security-relevant actions.
  • Webhook signature verification and rate limiting on public endpoints.

3. Organisational measures

Access to production systems is restricted to authorised personnel on a need-to-know basis. Backups are taken regularly and tested. Vendors and processors are assessed and bound by data-protection terms.

4. Incident response

Suspected security incidents are triaged immediately. Where an incident materially affects your data we will notify you and, where legally required, the relevant authority (including CERT-In reporting obligations in India) without undue delay.

5. Your responsibilities

Use strong, unique passwords, enable available two-factor authentication, protect your API keys, and control your team members’ permissions. Report suspected compromise to us immediately.

Governing law & jurisdiction

This document is governed by the laws of India. For operators in India this includes the Information Technology Act, 2000, the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Consumer Protection Act, 2019. Where we serve customers in other jurisdictions, we honour applicable local requirements including the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) to the extent they apply. Courts at our registered place of business have exclusive jurisdiction, subject to any non-waivable consumer rights in your country of residence.

Contact us

WAAPI is operated by WAAPI. For any questions about this document, contact us: