WABA explained
This document explains the WhatsApp Business API Architecture and Security.

Architecture

Unlike typical REST APIs, the WhatsApp (WA) Business API requires the WhatsApp Business API Client to be installed and managed. As an official WhatsApp Business Solutions Provider - we (the Business Solutions Provider) will do this installation, hosting and maintenance for you. When it is up and running, the WhatsApp Business API client can communicate with WA servers in an end-to-end-encrypted manner and you integrate with this system using our API endpoints.
The WhatsApp Business API Client consists of a set of Docker containers, as well as database and media volumes as shown in the following image.

Components

A WhatsApp Business API Client consists of the following components shown in the preceding image.
  • WebApp node Handles authentication and authorization of WhatsApp Business API users Accepts incoming Rest API calls from your business systems and forwards them to the CoreApp node(s)
  • CoreApp node(s) - Receives Rest API calls from the WebApp node, and sends resulting messages to the WhatsApp server. - After receiving messages from the WhatsApp server, sends messages to your Webhook server that include the incoming payload from the WhatsApp servers. - Downloads and saves media to the media volume
  • Database Stores data for the WhatsApp Business API client, including messages, contacts, configurations etc.
  • Media volume Stores uploaded media files used for outgoing media messages / media message templates, as well as the media files from incoming media messages
  • WebHook server - Receives incoming HTTP messages from the CoreApp nodes
After the successful setup of the WhatsApp Business API Client you will get an API-KEY. Then your business can start integrating with the WhatsApp Business API like common REST APIs via HTTPS, and receiving incoming messages using Webhooks.

How it works

Messages are encrypted between the WhatsApp app on a user’s smartphone through the WhatsApp infrastructure / data centers until it reaches our hosted Docker containers (described above). Only in these containers the decryption takes place. The Docker containers are installed in a redundant and multi-connect environment.
After sending, the messages are processed to the WhatsApp Business container where they are encrypted and dispatched into the WhatsApp infrastructure and finally pushed to the targeted device, where it is decrypted.
At any given time, you can only have one instance of the WhatsApp Business API Client running for a single phone number.

Security

When using the WhatsApp Business API, we will always have in effect and maintain administrative, physical and technical safeguards that: (a) meet or exceed industry standards, (b) are compliant with applicable Laws (including data security and privacy laws, rules and regulations), and (c) are designed to prevent any unauthorized access, use, processing, storage, destruction, loss, alteration or disclosure of User Data.
We make use of the below Safety features as provided by WhatsApp.
Passwords and Authentication All requests to the WhatsApp API must be authorized with an API-KEY. Please refer to the API documentation for more information about this topic.
SSL Configuration
Access to the WhatsApp Business API client requires HTTPS. The WhatsApp Business API Client generates a self-signed certificate by default when it is created. As Webhooks also requires HTTPS for callbacks.
Network Segregation
We host the Webapp and Coreapp nodes in separate, segregated networks, and expose them only to required services.
Message Encryption

Data Processing

We act as a data processor on behalf of our Integration Partners, and the Integration Partner on behalf of the Businesses' using the WhatsApp Business API. We will only process data to and from the WhatsApp Business Solution according to the instructions of Businesses as communicated through WhatsApp API or by their Integration Partner. By using our services, both Parties commit to their compliance with all applicable privacy laws and regulations.
Integration Partners must sign a Data Processing Agreement which outlines the specifics prior to using our API.

GDPR

The General Data Protection Regulation (GDPR) creates consistent data protection rules across Europe. It applies to companies (regardless of where they are based) who process personal data about individuals in the EU.

Contact

If you have specific questions about our Data Processing Policies or GDPR, please reach out to: [email protected]

Developer Documentation

FAQs - WhatsApp Business Platform - Documentation - Facebook for Developers
Facebook for Developers
Security - WhatsApp Business Platform - Documentation - Facebook for Developers
Facebook for Developers
WhatsApp Security
WhatsApp.com