Architecture and Security
This document explains the WhatsApp Business API Architecture and Security.
Encryption
All WhatsApp messages remain protected by Signal protocol encryption before leaving the device, so messages are securely delivered to the destination chosen by each business.
Cloud API uses industry-standard encryption for:
Data in transit (HTTPS + TLS)
Data at rest
It uses:
Graph API to send messages
Webhooks to receive events
WhatsApp cannot access message content exchanged between users and businesses.
See Encryption Overview Whitepaper for more details.
What Is Local Storage?
Local Storage allows Cloud API numbers to store message data at rest in a specific country or region. Ideal for:
Regulated industries (finance, government, healthcare)
Businesses with data residency requirements
What Data Is Localized?
Outgoing messages
Incoming messages
Message Types Covered
Text payloads
Media (audio, documents, images, video)
Template components (text/media)
Metadata
A limited set of metadata is stored to:
Associate encrypted payloads with the original message
Provide auditing Metadata is protected via tokenization and encryption.
Available regions
The following regions are currently supported by Cloud API Local Storage:
How to Activate Local Storage
Contact Support and request Local Storage for a specific WABA.
Provide the target storage region.
Confirm the change using the PIN sent to the WABA phone number.
Cloud API will store message content in the selected country instead of the US.
Message Flows
When a user sends a message to one of these businesses, the message travels end-to-end encrypted between the user and the Cloud API. As per the Signal protocol, the user and the Cloud API, on behalf of the business, negotiate encryption keys and establish a secure communication channel. WhatsApp cannot access any message content exchanged between users and businesses.
Once a message is received by the Cloud API, it gets decrypted and forwarded to the Business. Messages are only temporarily stored by the Cloud API as required to provide the base API functionality.
Messages from a business to a user flow on the reverse path. Businesses send messages to Cloud API. The Cloud API service stores the messages temporarily and takes on the task to send the message to the WhatsApp platform. Messages are stored for any necessary retransmissions.
All messages are encrypted by the Cloud API before being sent to WhatsApp using the Signal protocol with keys negotiated with the user (recipient).
WhatsApp acts as the transport service. It provides the message forwarding software; both client and server. It has no visibility into the messages being sent. It protects the users by detecting unusual messaging patterns (like a business trying to message all users) or collecting spam reports from users.
Cloud API, operated by Meta, acts as the intermediary between WhatsApp and the Cloud API businesses. In other words, those businesses have given Cloud API the power to operate on their behalf. Because of this, WhatsApp forwards all message traffic destined for those businesses to Cloud API. WhatsApp also expects to receive from Cloud API all message traffic from those businesses.
WhatsApp gives Cloud API metering and billing information for the Cloud API businesses. It does not share any other messaging information.
Meta, in providing the WhatsApp Cloud API service, acts as a Data Processor on behalf of the business. In other words, the businesses have requested Meta to provide programmatic access to the WhatsApp platform.
Cloud API receives from WhatsApp the messages destined for the businesses that use Cloud API. Cloud API also sends to WhatsApp the messages sent by those businesses. Other parts of Meta (other than Cloud API) do not have access to the Cloud API business communications, including message content and metadata. Meta does not use any Cloud API data for advertising.
Stored and Collected Data
All data collected, stored and accessed by Cloud API is controlled and monitored to ensure proper usage and maintain the high level of privacy expected from a WhatsApp client.
Information about the businesses, including their phone numbers, business address, contacts, type, etc. is maintained by Meta and the Business Manager product and is subject to the terms of service set by Meta. Cloud API relies on Business Manager and other Meta systems to identify any access to Cloud API on behalf of the business.
Messages sent or received via Cloud API are only accessed by Cloud API, no other part of Meta can use this information. Messages have a maximum retention period of 30 days in order to provide the base features and functionality of the Cloud API service; for example, retransmissions. After 30 days, these features and functionality are no longer available.
Cloud API does not rely on any information about the user (customer/consumer) the business is communicating with other than the phone number used to identify the account. This information is used to deliver the messages via the WhatsApp client code. User phone numbers are used as sources or destinations of individual messages; as such they are deleted when messages are deleted. No other part of Meta has access to this information.
No message content is shared or sent to WhatsApp at any time and no WhatsApp employee has access to any message content.
Message content
Cloud API
No
No
Consumer phone number
Cloud API
No
Yes
Non-identifiable statistics
Cloud API
Yes
Yes
Integrity signals - per business
WhatsApp Client
No
Yes
Business information
Business Manager
Yes
Yes
Billing - per business
Yes
Yes
GDPR
Meta enables businesses to fulfill their obligations under the General Data Protection Regulation (GDPR). However, it's important to note that each business bears the responsibility of ensuring its own compliance with the GDPR, similar to other applicable laws.
To understand compliance with GDPR, please see:
Useful links
Last updated
Was this helpful?