Security | Hawk Send

1. Infrastructure Security

Encryption in Transit: All API traffic is encrypted using TLS 1.2+ (HTTPS). Unencrypted HTTP connections are rejected.
Encryption at Rest: WhatsApp Business Account access tokens and sensitive credentials are encrypted at rest in our database.
Isolated Environments: Production, staging, and development environments are fully isolated with separate databases, credentials, and network rules.
Container Security: Our services run in isolated Docker containers with minimal base images and no root-level access.

JWT Authentication: Dashboard sessions use short-lived JWT access tokens (60-minute expiry) with refresh token rotation (7-day expiry).
httpOnly Cookies: Tokens are stored in httpOnly, Secure, SameSite cookies — inaccessible to client-side JavaScript, preventing XSS-based token theft.
API Key Authentication: Server-to-server calls use API keys with the wsa_ prefix. Keys are hashed with SHA-256 before storage — we never store raw keys.
Password Hashing: User passwords are hashed using Django's PBKDF2 algorithm with SHA-256 and a unique salt per account.
Email Verification: All new accounts require email verification via a 6-digit code before access is granted.
Per-Tenant Isolation: Every API request is scoped to the authenticated tenant. Cross-tenant data access is not possible.

Rate Limiting: Per-tenant rate limiting using sliding window algorithms. Limits scale by plan (10-1,000 requests/minute).
OTP Rate Limiting: Maximum 5 OTP requests per phone number per hour to prevent abuse.
Input Validation: All API inputs are validated and sanitized through Django REST Framework serializers before processing.
CORS Policy: Cross-origin requests are restricted to explicitly allowed domains in production.
CSRF Protection: Enabled for all state-changing operations on the dashboard.

HMAC Signatures: All outbound webhook payloads are signed using HMAC SHA-256 with a per-tenant secret. Verify signatures on your end to ensure payload integrity.
Meta Webhook Verification: Inbound webhooks from Meta are verified using the X-Hub-Signature-256 header and your app secret.
Retry with Backoff: Failed webhook deliveries are retried up to 5 times with exponential backoff (30s to 480s).

Hashed Storage: OTP codes are stored as SHA-256 hashes. Raw codes exist only in memory during generation and delivery.
Auto-Expiry: OTPs expire after a configurable period (60-600 seconds, default 300s). Expired OTPs are automatically cleaned up.
Attempt Limiting: Maximum 3 verification attempts per OTP. After exceeding, the OTP is invalidated.
Single Use: Pending OTPs for the same phone number are automatically expired when a new one is generated.

Minimal Data Retention: Message logs are retained for 90 days, OTP records for 30 days, webhook logs for 30 days. Data is purged automatically after retention periods.
No Plaintext Secrets: API keys, passwords, OTP codes, and access tokens are never stored in plaintext.
Secure Key Display: Full API keys are shown only once at creation time. They cannot be retrieved afterward.
Data Deletion: Users can request full account and data deletion per our Data Deletion Policy.

Meta WhatsApp Cloud API: Messages are transmitted to Meta over encrypted channels. Meta is responsible for end-to-end encryption of WhatsApp messages to recipients.
Stripe: Payment processing is handled entirely by Stripe, a PCI DSS Level 1 certified provider. We never store credit card numbers.
Meta Embedded Signup: WABA onboarding uses Meta's official OAuth flow. Tokens are issued by Meta and stored encrypted on our end.

We monitor our infrastructure for anomalies and unauthorized access attempts.
In the event of a security incident affecting your data, we will notify affected customers within 72 hours via email.
Post-incident, we conduct a root cause analysis and implement preventive measures.

If you discover a security vulnerability in Hawk Send, we encourage responsible disclosure. Please report it to security@hawksend.com.

Do not publicly disclose the vulnerability before we have had a chance to address it.
Provide sufficient detail for us to reproduce and fix the issue.
We will acknowledge receipt within 48 hours and aim to resolve critical issues within 7 days.

For security-related inquiries: