WhatsApp Business Platform Security
Built for UAE and GCC
UAE data residency, AES-256 encryption, row-level security per tenant, JWT RS256 authentication, and Meta webhook verification. Enterprise-grade security from the first day of your trial.
Security Built Into
Every Layer of the Platform.
UAE businesses handling customer data on WhatsApp are responsible for that data under UAE data protection law. A WhatsApp platform that stores your customer conversations, phone numbers, and lead information outside the UAE, without encryption, or without proper access controls is not just a technical risk, it is a legal one.
Zena is built security-first from the ground up. Every layer of the stack has explicit security controls: UAE data residency at the infrastructure level, AES-256 encryption at the data level, row-level security at the database level, JWT RS256 authentication at the API level, and HMAC-SHA256 webhook verification at the integration level. Security is not an add-on. It is the foundation.
Every Security Layer
Explained
Eight security controls built into the Zena platform from the infrastructure to the application layer.
UAE Data Residency
All data processed and stored by Zena resides on UAE-region servers. Customer conversations, contact records, lead data, WhatsApp tokens, and API keys never leave the UAE. This satisfies UAE data protection requirements and TDRA regulations for businesses operating in the UAE and GCC.
AES-256-CBC Encryption at Rest
All sensitive data fields are encrypted using AES-256-CBC before being written to the database. This includes WhatsApp Business API tokens, API keys, and any contact PII fields. Encryption keys are stored in environment variables, never in the database, and rotated on any security event. Encrypted data is decrypted only at read time within the application layer.
PostgreSQL Row Level Security
Every database table containing tenant data has PostgreSQL Row Level Security enabled with a tenant isolation policy. Every query is scoped by tenant ID at the database row level. Even if an application-level bug allowed a query to reach the wrong tenant scope, the database layer would block the data access completely. No cross-tenant data leakage is possible at any query level.
JWT RS256 Authentication
All API authentication uses JWT tokens signed with RS256 asymmetric encryption. Access tokens expire after 15 minutes. Refresh tokens are stored in httpOnly cookies only and are never accessible from JavaScript. Tokens are blacklisted on logout via Redis. All sessions are invalidated on password change and on suspicious activity detection.
Redis Rate Limiting and Account Lockout
Every API endpoint is rate limited using Redis for distributed enforcement. Auth routes use strict limits: 5 login attempts per 15 minutes per IP, 3 registration attempts per hour. After 5 failed login attempts, the account is locked with an exponential cooldown timer. IP addresses that hit rate limits repeatedly are flagged and blocked automatically.
Meta Webhook Signature Verification
Every incoming webhook request from Meta is verified using X-Hub-Signature-256 with HMAC-SHA256. The raw request body is compared against the signature using a timing-safe comparison before any processing begins. Any request that fails verification is rejected with a 403 response and logged immediately. No unverified webhook data is ever processed.
CSRF Double-Submit Cookie Protection
All state-changing requests from the Zena dashboard use CSRF double-submit cookie protection. The server sets a CSRF token in a cookie on page load. The client sends the token in a custom header on every POST, PUT, and DELETE request. The server validates the header matches the cookie before processing. Requests without a valid CSRF token are rejected.
Audit Logs on Business Plans
Business plans include a complete, tamper-proof audit log of every action taken inside the platform. Who sent which message, who updated which contact, who changed which setting, and when. Audit log entries cannot be edited or deleted. Available as a filtered view in the admin dashboard and as a CSV export for compliance reporting.
Built for UAE and GCC
Regulatory Requirements
Security controls designed around the regulations UAE businesses operate under.
UAE Data Protection Law
All customer data is stored within the UAE. No data crosses international borders. The platform is designed to support UAE businesses in meeting their obligations under Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data.
Official Meta BSP
Fictoralabs is an official Meta Business Solution Partner. Zena is fully compliant with Meta WhatsApp Business API policies, terms of service, and messaging quality requirements. Your WhatsApp account is protected by Meta platform guarantees.
Operational Security
Parameterised queries prevent SQL injection at every database call. Input validation rejects unexpected fields on every API endpoint. Maximum request body sizes are enforced. Internal services are isolated from public network access via Docker internal networking.
Security Runs Across
Every Feature.
Every feature in Zena inherits the security controls of the platform. There is no unsecured pathway to any data.
WhatsApp Team Inbox
Every message in the inbox is scoped to your tenant via RLS. Collision detection and agent assignment are enforced at the application and database level simultaneously.
Bilingual AI Chatbot
Your OpenAI and Gemini API keys are encrypted with AES-256 before storage and decrypted only at request time. They are never exposed in API responses or dashboard interfaces.
AI Lead Capture
All captured lead data is encrypted at rest and scoped to your tenant via RLS. No lead from your account is ever accessible from any other tenant account at any layer.
Chatflow Builder
Loop prevention stops runaway chatflows at 50 visits per node and 500 total steps. Per-node execution logs are stored securely and scoped to your tenant only.
Bulk Broadcasting
Broadcast audience data is encrypted at rest and scoped to your tenant. Campaign sends go through Meta official API only. No bulk message bypass of Meta policy is possible.
CRM and Contacts
All contact PII is encrypted at rest. CSV exports are access-controlled by role. Deleted contacts follow a soft-delete pattern with a 30-day retention before hard deletion.
Message Templates
Template submission to Meta goes via official API only. Template content is stored encrypted. Rejected templates and rejection reasons are logged and scoped to your tenant.
Team Management
Role-based access control is enforced at both the application and database layer. The RLS policy uses the tenant ID and user role from the authenticated session on every query.
Analytics
All analytics queries are scoped to your tenant via RLS. No analytics data from any other tenant is ever reachable from your dashboard at any query level.
Integrations and API
All API keys are encrypted with AES-256. Outbound webhooks are signed with HMAC-SHA256. Every API call is authenticated and tenant-scoped. Cross-tenant API access is impossible.
Number Management
WhatsApp API tokens for every connected number are encrypted with AES-256 before storage. Tokens are never exposed in the dashboard, in API responses, or in logs.
Owner AI Companions
Companion conversation history is stored in Redis with a 24-hour TTL and scoped to the owner personal number only. No team member can access companion conversations.
Platform Security
Common Questions
Where is Zena data stored?
How is customer data encrypted?
Can one tenant ever access another tenant data?
How are WhatsApp webhooks verified?
Full Security on Every Plan.
Audit Logs from Business.
UAE data residency, AES-256 encryption, RLS, JWT RS256, and webhook verification are included on every Zena plan from Starter. Audit logs are available on Business plans only.