WhatsApp Business API
Security & Data Practices
An honest overview of how WhatsApp Business API security works, what data iwsapp.my retains, and what your responsibilities are as a sender — including platform dependencies and important disclaimers.
How WhatsApp API Protects Messages
Encryption is handled by Meta's WhatsApp infrastructure — not by iwsapp.my. Here's what that means in practice.
End-to-End Encryption
All WhatsApp messages are end-to-end encrypted using the Signal Protocol. Message content is encrypted between the sender and recipient — it cannot be read by Meta servers or by iwsapp.my in transit.
Meta Cloud Infrastructure
WhatsApp Business API runs on Meta's enterprise cloud infrastructure. Platform availability, uptime, and infrastructure security are managed by Meta — not by iwsapp.my. We pass messages through Meta's API.
Business Verification by Meta
All businesses using WABA must pass Meta's business verification process before sending. This confirms identity and legitimacy. Verification is controlled and decided by Meta.
Role-Based Access Control
The iwsapp.my platform supports role-based access. Account administrators control which team members can access sending, reports, and settings. Limit access to authorised staff only.
API IP Whitelisting
Where applicable, API access can be restricted to whitelisted IP addresses — reducing the risk of unauthorised API calls from outside your network. Ask our team to enable this for your account.
Spam Detection by Meta
Meta automatically detects and blocks suspicious sending patterns. Accounts with high opt-out or block rates are flagged and may be restricted. Sending to non-consenting contacts puts your account at risk.
What Data iwsapp.my Retains
We retain sending metadata — not message content — for operational and audit purposes. Here's exactly what we keep and for how long.
We retain message sending logs — including recipient number, timestamp, delivery status, and template name — for up to 2 years. This is used for delivery dispute resolution, account audits, and operational support.
Account registration details, credit top-up history, and transaction records are retained for 7 years as required under Malaysian accounting and tax regulations.
Mobile numbers and contact data you upload for sending are processed on your behalf. You are the data owner and are responsible for ensuring those contacts have consented to receive messages. We do not use your contact lists for any other purpose.
We maintain audit logs of account activity — login events, API calls, and sending activity — where applicable. These may be reviewed internally for compliance, security investigations, or at the request of relevant authorities where required by law.
Platform Access Security Features
Platform Dependencies & Limitations
Please read these carefully before relying on WhatsApp Business API for critical communications.
Messaging Delivery Disclaimer
WhatsApp message delivery is dependent on Meta's infrastructure, the recipient's network connectivity, device status, and whether the recipient is registered on WhatsApp. iwsapp.my cannot guarantee delivery of any message. We provide best-effort delivery and real-time delivery status reporting, but factors outside our control may affect delivery.
Meta / Upstream Platform Dependency
The WhatsApp Business API is a service provided and controlled by Meta Platforms, Inc. Meta may at any time change pricing, policies, template requirements, or platform availability. iwsapp.my is a downstream service provider — we are subject to Meta's platform rules and any changes Meta makes to the WhatsApp Business API. We will inform customers of significant changes as soon as reasonably possible.
Account Suspension Risk
Meta may restrict, suspend, or terminate a WhatsApp Business Account at their discretion if usage violates their policies — including sending to non-consenting contacts, high block rates, or prohibited content. iwsapp.my has no control over Meta's suspension decisions. Credits used before suspension are non-refundable.
Telco & Network Dependency
For recipients to receive WhatsApp messages, they must have an active internet connection via mobile data or Wi-Fi. WhatsApp is not a telco SMS service — it does not fall back to SMS if the recipient is offline. Network outages, international connectivity issues, or device problems on the recipient's end are outside iwsapp.my's control.
As a Sender, You Are Responsible For
iwsapp.my provides the platform and technical infrastructure. The following responsibilities rest with you as the account holder and message sender.
Obtaining proper consent from recipients before sending marketing messages.
Ensuring the contact data you upload was collected lawfully and with appropriate authorisation.
Clearly identifying your business in every message — no impersonation or misleading sender identity.
Providing recipients with a clear and easy way to opt out of further messages.
Honouring opt-out requests promptly and removing opted-out contacts from future sends.
Ensuring message content complies with Meta's WhatsApp Business Policy and applicable Malaysian law.
Keeping your API credentials secure and rotating them regularly.
Not using the platform to send spam, scam, phishing, or prohibited content.