Safravo Logosafravo.com
Guides

Security & Compliance

How Safravo protects your data, secures API access, and maintains compliance.

Infrastructure security

  • Encryption in transit — all traffic is encrypted via TLS 1.3. Plain HTTP requests are rejected.
  • Encryption at rest — all data is encrypted at rest using AES-256.
  • Cloud infrastructure — Safravo runs on AWS. Enterprise customers can request custom data residency options.
  • Automated backups — daily backups with a 30-day retention period.

API key security

API keys grant programmatic access to your workspace. Treat them like passwords.

  • Never expose keys in client-side code — do not embed keys in browser JavaScript, mobile apps, or public repositories.
  • Use environment variables — store keys in environment variables or a secrets manager (AWS Secrets Manager, Doppler, Vercel env vars, GitHub Actions secrets).
  • Rotate regularly — revoke and re-issue keys every 90 days, or immediately if you suspect a compromise. Go to Settings → Developers in the dashboard.
  • Scope minimally — create separate keys per integration and grant only the scopes each integration needs. See Authentication → Scopes.
  • Monitor usage — the Last Used timestamp on each key in the dashboard alerts you to unexpected activity.

Webhook signature verification

Every webhook delivery from Safravo includes an X-Safravo-Signature header. Always verify this signature before processing any event — it confirms the payload genuinely came from Safravo and has not been tampered with.

The signature is an HMAC-SHA256 of the raw request body, prefixed with sha256=, computed using your Webhook Secret (format: whsec_<64 hex chars>).

const crypto = require("crypto")

function verifyWebhook(rawBody, signatureHeader, secret) {
  const expected = `sha256=${crypto
    .createHmac("sha256", secret)
    .update(rawBody)
    .digest("hex")}`

  return crypto.timingSafeEqual(
    Buffer.from(expected),
    Buffer.from(signatureHeader)
  )
}

Always use the raw request body — before any JSON parsing — when computing the HMAC. Re-serialising a parsed object changes whitespace and will break signature validation.

See Webhooks → Verifying Signatures for full examples in Node.js, Python, PHP, Go, and Ruby.

Compliance

GDPR

Safravo acts as a Data Processor for the messages you send and the contacts you store. You remain the Data Controller.

  • You can request deletion of any contact's data via the API (DELETE) or from the contact's profile in the dashboard.
  • A Data Processing Agreement (DPA) is available upon request — contact [email protected].

Meta Business Policies

When using WhatsApp, Instagram, or Messenger, you must also comply with Meta's Business Policies.

  • WhatsApp opt-in — you must obtain explicit opt-in from users before sending proactive (business-initiated) messages.
  • Human escalation — automated bots must provide a clear path for users to reach a human agent.
  • Template compliance — WhatsApp message templates must comply with Meta's content policies. See WhatsApp Templates.

Reporting security vulnerabilities

If you discover a potential security vulnerability in Safravo, please contact [email protected]. We follow responsible disclosure practices and will respond promptly.

Pricing

Safravo's plans, billing model, and WhatsApp conversation fees.

Support

Contact the Safravo team by phone, WhatsApp, or email.

On this page

Infrastructure securityAPI key securityWebhook signature verificationComplianceGDPRMeta Business PoliciesReporting security vulnerabilities