Legal & compliance
Security
Last updated: July 2026
How we protect your credentials and customer data.
Token encryption
Meta access tokens (user, Page and WhatsApp tokens) are encrypted at rest using AES-256-GCM with a server-side key (ENCRYPTION_KEY). Tokens are decrypted only in memory at the moment of an API call and are never logged or shown in the UI.
Webhook verification
Inbound webhooks are verified using the Meta app secret via the X-Hub-Signature-256 HMAC over the raw request body. Payloads that fail verification are not processed. The data-deletion callback verifies Meta's signed request the same way.
Access control
- Role-based access control (Owner, Admin, Agent, Viewer) scoped per business.
- All API routes verify business membership before returning data.
- Internal ids and token values are never exposed in the UI.
Auditing & rate limiting
- Audit logs record connect, disconnect, send and delete actions.
- Public webhook and authentication endpoints are rate limited.
- Webhook responses are fast; heavy processing runs in a background worker.
Data hosting
Frontend on Vercel; backend, worker, PostgreSQL and Redis on Railway. Secrets are stored as platform environment variables, never in source control.
Reporting a vulnerability
Please report security issues to support@msgmaven.com. We will acknowledge and investigate promptly.