Security

Last updated: 23 June 2026

Klaros handles your customer conversations and your contact book, so security is built into the architecture — not bolted on. This page summarizes the safeguards in place.

Credentials encrypted at rest

Your WhatsApp access token and other sensitive credentials are encrypted with AES-GCM before they are stored. Plaintext tokens are never written to the database, and encryption keys are held as platform secrets, separate from the data they protect.

Signature-verified webhooks

Every inbound webhook from Meta is verified against an HMAC-SHA256 signature keyed by your app secret. Unsigned or forged requests are rejected, so only genuine WhatsApp events reach your inbox.

Per-tenant isolation

Each account's data is scoped to that account. Inbound messages are routed to the owning tenant by the business number they were sent to, so one customer's data is never resolved into another's.

Private, signed media

Images and documents you send are served from private storage behind short-lived, signed URLs. Meta fetches the file once and the link expires — there are no public media buckets exposing your content.

Consent enforced before send

An opt-in / opt-out ledger records consent events with their evidence, and suppression is enforced before any message is sent. The WhatsApp 24-hour service window and approved-template requirements are respected automatically.

Official platform only

All messaging runs on Meta's official WhatsApp Business Platform. We use no grey-area automation or unofficial clients, which keeps your number off ban-risk paths.

Auditability and data control

Sends, consent events, and charges are logged for audit. You can export your full contact book at any time and request data erasure — your data is never held hostage.

Encryption in transit

All traffic between your browser, the Klaros deployment, and Meta's API travels over TLS 1.2+. Cloudflare Workers enforce HTTPS by default — plaintext HTTP is never accepted.

Data residency

Because Klaros is self-hosted on your Cloudflare account, your data lives where you configure it. D1 databases run in the region you select; R2 storage is globally distributed with a primary region you control. No data transits through Klaros-owned infrastructure.

Incident response

If we become aware of a security issue affecting the Klaros software, we will:

• Investigate and develop a fix within 48 hours of confirmation.
• Release an updated deployment that affected customers can apply immediately.
• Notify affected customers by email with a description, impact, and remediation steps.

Because each deployment is isolated, an incident in one customer's environment cannot propagate to another.

Third-party dependencies

Klaros has minimal server-side dependencies. The deployment runs on Cloudflare's edge runtime (Workers, D1, R2, Queues) — there is no Node.js process, no Docker container, and no OS to patch. Cloudflare manages infrastructure-level security, patching, and DDoS protection.

Your part in security

• Treat your access token and app secret as secrets; rotate them if they may have been exposed.
• Use a strong, unique password and limit who has access to your account.
• Keep your Meta Business settings and payment method secure.

Reporting a vulnerability

If you believe you've found a security issue, please email security@tryklaros.com with details and steps to reproduce. We appreciate responsible disclosure and will respond as quickly as we can. Please do not publicly disclose an issue before we've had a chance to address it.