Is Go4whatsup SOC 2 certified?

SOC 2 Type II is in progress — controls implemented, observation window underway with Schellman, Type II report expected Q4 2026. The SOC 2 readiness memo and Type I report are available under NDA today.

Is Go4whatsup GDPR compliant?

Yes. We offer a GDPR-compliant DPA with Standard Contractual Clauses, EU data residency in Frankfurt, a registered DPO, and Article 28 processor terms signable by your legal counsel without negotiation.

Does Go4whatsup sign BAAs for HIPAA?

No. We do not sign Business Associate Agreements today. If you're a US healthcare covered entity with PHI in WhatsApp conversations, we are not the right BSP for you. We'd rather say so up front than sign a BAA we can't honour.

Where is my data stored?

You pick your region at onboarding: EU (Frankfurt), India (Mumbai), or UAE (Dubai). Message archives, customer records, and media files stay in your chosen region. No cross-region copies.

What is the uptime SLA?

99.9% monthly uptime measured at the API gateway. If we miss it, service credits apply automatically: 10% for <99.9%, 25% for <99.0%, 50% for <95.0%. No ticket required.

How fast is the breach notification?

24 hours from confirmed detection to your designated security contact, tighter than GDPR's 72-hour floor. Written notice includes scope, impact, root cause, and remediation steps.

Can I get the full penetration test report?

Yes, under NDA. Our most recent third-party CREST-certified penetration test was completed 2026-02. Email legal@go4whatsup.com to request the report and the SOC 2 readiness memo.

Trust Center — Security, Compliance, Uptime & Certifications

Q: How fast is the breach notification?

24 hours from confirmed detection to your designated security contact, tighter than GDPR's 72-hour floor. Written notice includes scope, impact, root cause, and remediation steps.

Q: Can I get the full penetration test report?

Yes, under NDA. Our most recent third-party CREST-certified penetration test was completed 2026-02. Email legal@go4whatsup.com to request the report and the SOC 2 readiness memo.

Security

AES-256 encryption at rest, TLS 1.3 in transit, SSO/SAML, audit logs, IP allow-listing, RBAC.

See controls →

Compliance

GDPR, AVG, DPDP, UAE PDPL aligned. SOC 2 Type II in progress. ISO 27001 controls implemented.

See certifications →

Reliability & uptime

99.9% SLA. Public status page with 90-day bar history. Dual-region message delivery.

See uptime →

Data residency

EU (Frankfurt), India (Mumbai), UAE (Dubai) regions. Pick where your data lives. No cross-region copies.

See regions →

Meta Business Partner

Direct Meta Cloud API access. No unofficial API. Green Tick submission support included.

See partnership →

Legal & insurance

Signable DPA, standard contractual clauses, sub-processor register, and $5M cyber insurance policy.

See legal docs →

01 — Security

Controls your InfoSec team can verify.

We ship the controls enterprise buyers test on every RFP. Full penetration test report and SOC 2 readiness memo available under NDA.

AES-256 encryption at rest live Customer data, message archives, media files. Keys rotated quarterly via AWS KMS.
TLS 1.3 in transit live All API, webhook, and dashboard traffic. Qualys SSL Labs A+ grade. HSTS preload.
SSO / SAML 2.0 live Okta, Azure AD, Google Workspace, OneLogin. SCIM user provisioning for enterprise plans.
Role-based access control (RBAC) live Granular permissions per inbox, broadcast, template, integration. Agent / Manager / Admin / Owner roles plus custom.
Audit logs (exportable) live Every action stamped with user, IP, timestamp, target. Exportable as CSV / JSON for your SIEM. 12-month retention.
IP allow-listing live Restrict dashboard and API access to specific CIDR ranges. Per-environment (prod / staging) rules.
Annual penetration testing live Third-party CREST-certified firm. Most recent report signed 2026-02. Remediation SLA: critical = 72 hrs.
Secure SDLC live Mandatory code review, SAST (Semgrep), dependency scanning (Dependabot), secrets scanning pre-commit.
24-hour breach notification SLA live Written notice to your designated security contact within 24 hours of confirmed detection. Tighter than GDPR's 72-hour floor.

02 — Compliance

Certifications & regulatory alignment.

We publish what we have and what's in flight. No “certified by interpretation” wording. If your jurisdiction needs something not on this list, ask sales — we'll say yes or no directly.

GDPR · EU Data Processing Addendum (DPA), SCCs, EU data residency option (Frankfurt), DPO on record. Compliant

AVG · Netherlands GDPR implementation aligned with Autoriteit Persoonsgegevens guidance. Dutch SMB-ready. Compliant

DPDP Act · India India Mumbai region, data fiduciary obligations met, consent records, India-based grievance officer. Compliant

UAE PDPL Dubai region, UAE entity, FTA-registered, aligned with Federal Decree Law 45/2021. Compliant

SOC 2 Type II Controls implemented. Observation window in progress with Schellman. Type II report expected Q4 2026. Type I readiness memo available under NDA today. In progress

ISO 27001:2022 Controls mapped and implemented. External audit booked Q3 2026. Statement of Applicability available under NDA. In progress

Meta Business Partner Official Meta-verified BSP. Direct Cloud API access. Listed on Meta's partner directory. Verified

HIPAA / BAA We do not sign BAAs today. If you're a US healthcare covered entity, we can't be the BSP for PHI-bearing conversations. We'll say so up front. Not available

FedRAMP Not pursued — US federal government isn't a target market. If you're a non-US government entity, we'll discuss case-by-case. Not pursued

03 — Reliability

99.9% uptime SLA with a public status page.

If we miss the SLA in any billing month, you get service credits automatically. No email-your-CSM-for-credit games.

99.97%90-day uptime
at API gatewayLive · updated hourly

<120msP95 API response
time (EU & India)Rolling 30-day

0Critical P0 incidents
past 90 daysPublic history

2xAvailability zones
per regionActive-active

View the live status page → · Subscribe to incident alerts →

04 — Data residency

Pick the region your data lives in.

Message archives, customer records, and media files stay in your chosen region. No cross-region copies. Backup replicas use the same region's availability zones.

EU · Frankfurt (AWS eu-central-1) Default for UK, Ireland, Netherlands, Germany, France, Spain, Italy, Belgium, Nordics customers. GDPR & AVG-aligned.
India · Mumbai (AWS ap-south-1) Default for India, Sri Lanka, Bangladesh, Nepal customers. DPDP Act-compliant. RBI-acceptable for regulated entities.
UAE · Dubai (AWS me-south-1) Default for UAE, Saudi Arabia, Qatar, Kuwait, Oman, Bahrain customers. PDPL-aligned. ADGM/DIFC-friendly.
Deletion policy End-user data deletion requests: within 30 days. Admin-initiated full-workspace deletion: primary + backups purged within 90 days. Signed certificate of deletion on request.

05 — Meta partnership

Meta Business Partner — direct Cloud API.

We're on Meta's verified partner directory. Your WhatsApp Business Account connects through official Cloud API — no grey-market on-premise hacks, no shared WABA shortcuts, no rate-limit games.

You own the WABA Your WhatsApp Business Account lives in your Meta Business Manager — not ours. If you ever leave, it stays with you. No vendor lock-in.
Meta-passthrough conversation pricing Meta's per-conversation fee goes to Meta at cost. We don't mark up Meta's pricing. You see the exact fee in your invoice.
Green Tick submission support included Hands-on help preparing your WhatsApp verified-business application. Approval is Meta's call, but we get you past the preventable rejections.
Template approval guidance We review every template before you submit, flag the common rejection patterns, and help you rewrite for Meta's policy team.

06 — Customer proof

1,500+ businesses. Real case studies. Real names.

Case studies are on the record with the customer's permission — not anonymised screenshots. You can email the customer's ops lead and ask if they're a real reference.

1,500+Businesses across 40+ countries

4.4/5G2 & Capterra · 120+ verified reviews

10Published case studies with named customers

95%Net revenue retention (last 4 quarters)

Featured case studies: Urban Thread Retail · Al Rawan Travel · MediLife Pharmacy · BrightEdu Schools · Nour Retail · Kitchenly · Saanvi Crafts · Rajasthan Weaves · SkillLab Academy · and more

07 — Legal & insurance

The paperwork your legal team needs.

All signable. All reviewable. No “talk to sales for a DPA” gating.

Data Processing Addendum (DPA) Signable by your legal counsel without negotiation for standard enterprise plans. Includes GDPR Article 28 processor terms, SCCs (EU 2021/914), UK IDTA, India DPDP addendum.
Sub-processor register Public list of every third-party that processes customer data (AWS, Meta, Stripe, Postmark, Intercom, Google, Cloudflare). Updated within 30 days of any change. 14-day objection period for enterprise plans. Download PDF →
Cyber & professional liability insurance $5M cyber / $2M professional liability / $1M commercial general. Certificate of insurance on request.
Master Services Agreement Two-page plain-language MSA for most customers. Fortune 2000-friendly long-form MSA available for enterprise plans — redline-friendly.
SLA with service credit schedule 99.9% monthly uptime. <99.9% = 10% credit. <99.0% = 25% credit. <95.0% = 50% credit. Applied automatically to your next invoice — no ticket required.

08 — From the founder

On trust.

“Every enterprise buyer has been burned by a vendor who over-promised on compliance. Our answer: we publish what we have, what's in progress, and what we don't support — on one page, named dates included. If we sign a DPA with your legal team today, the terms match what you read on this page. Not a renegotiation.”

Anuj Singh · Founder & CEO, Go4whatsup

09 — Downloads

Send these to your procurement and legal teams.

Most documents are on request (to protect customer-specific details in the security pack). We reply within one business day — usually same-day in India / UAE hours.

Privacy PolicyPublic · GDPR / DPDP / PDPL-aligned

Terms of ServicePublic · Plain-language MSA

Compliance & DPA pack (PDF)3 pages · DPA, SCCs, GDPR / DPDP / PDPL matrix

Security whitepaper (PDF)3 pages · Public overview · Full version under NDA

Sub-processor register (PDF)Public · 7 sub-processors, data categories, regions

Refund & SLA credit policyPublic · Automatic service credit schedule

SOC 2 readiness + pen-test reportUnder NDA · Request from [email protected]

Business continuity / DR planUnder NDA · RTO 4 hrs / RPO 15 min

Certificate of InsuranceOn request · $5M cyber / $2M E&O

Ready to start the security review?

Share this page with your procurement and InfoSec teams. Our enterprise team responds to RFP questionnaires within one business day — CAIQ, SIG Lite, VSA, and custom formats all accepted.

Book an enterprise demo Send an RFP