Security
Learn about Wexio's security architecture, encryption, authentication, data protection, and compliance features that keep your data safe.
Wexio implements a comprehensive, multi-layered security architecture to protect your data and ensure compliance with global data protection regulations. This page provides an overview of the security measures in place across the platform.
Encryption
Multi-Layered Encryption
All sensitive data in Wexio is encrypted using AES-256-GCM, the industry-standard encryption algorithm. The platform uses a per-organisation, per-context key derivation system to ensure maximum security isolation.
Key derivation follows RFC 5869 (HKDF) with SHA-512, meaning each organisation gets unique encryption keys derived from a master secret. This ensures that even if one key were compromised, other organisations and contexts remain protected.
Encryption Contexts
Different types of sensitive data are encrypted with separate, context-specific keys. See Integrations for connecting channels and AI Settings for AI provider configuration.
| Context | What's Encrypted |
|---|---|
| AI Integrations | OpenAI, Anthropic API keys |
| Telegram | Bot tokens |
| Viber | Bot tokens |
| Webhooks | Webhook secrets and signatures |
| System AI | System-level AI configuration |
| Authentication | Authentication tokens |
Each encryption operation includes Additional Authenticated Data (AAD) binding the ciphertext to its organisation and context, preventing context confusion attacks where encrypted data could be moved between organisations.
Data in Transit
All data transmitted between your browser and Wexio servers is protected by:
- TLS 1.2 / TLS 1.3 encryption on all connections
- Modern cipher suites only (ECDHE-based)
- Automatic HTTP → HTTPS redirect
- HSTS (HTTP Strict Transport Security) with a 1-year max-age
WebSocket connections (used for real-time chat updates) are also encrypted via WSS (WebSocket Secure).
Infrastructure Security
Wexio's infrastructure is hosted on enterprise-grade cloud platforms with robust physical and network security controls. All infrastructure components are deployed in compliance with SOC 2 Type II and ISO 27001 certified environments.
| Provider | Role | Region | Certifications |
|---|---|---|---|
| AWS | Primary cloud infrastructure | EU (Ireland, eu-west-1) | SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1 |
| Vercel | Edge hosting and serverless compute | EU (Ireland, dub1) | Global CDN with DDoS protection and WAF |
| MongoDB Atlas | Managed database | EU (Ireland) | SOC 2 Type II, ISO 27001 |
| Upstash Redis | Rate limiting, caching, sessions | EU (Ireland) | Encrypted at rest and in transit |
- Network segmentation — Production, staging, and development environments are strictly isolated using Virtual Private Clouds (VPCs) with granular security group rules. No direct internet access to backend services.
- DDoS protection — Multi-layer DDoS mitigation through AWS Shield and Vercel's edge network with automatic traffic scrubbing and rate limiting at the edge.
- Continuous monitoring — Real-time infrastructure monitoring with automated alerting for anomalous activity, resource utilisation, and security events.
Network Security
CORS Policy
Wexio enforces a strict Cross-Origin Resource Sharing (CORS) policy. Only requests from trusted *.wexio.io origins and authorised local development servers are accepted — all other origins are rejected.
Security Headers
The platform sets robust security headers on all responses:
| Header | Purpose |
|---|---|
Strict-Transport-Security | Forces HTTPS for all future requests |
X-Frame-Options: DENY | Prevents clickjacking attacks |
X-Content-Type-Options: nosniff | Prevents MIME-type confusion attacks |
Cross-Origin-Resource-Policy | Controls cross-origin resource sharing |
WebSocket connections use WSS (encrypted WebSocket) with the same JWT authentication as HTTP requests, preventing unauthenticated real-time connections.
Data Isolation & Multi-Tenancy
All organisations share a common platform by default, with strict logical isolation at the database level. For customers with advanced compliance requirements, Pro and Enterprise plans offer the option to provision a completely dedicated MongoDB database and Redis instance for full physical data separation.
- Tenant-scoped queries — A middleware layer automatically injects the authenticated organisation ID into every database operation, preventing cross-tenant data leakage even in the event of application-level bugs.
- Dedicated database option — Organisations on Pro and Enterprise plans can migrate to a physically isolated MongoDB instance and/or Redis, with full data migration or fresh-start modes.
- Environment separation — Production, staging, and development environments are completely isolated. Testing never uses production data.
- Organisation deletion cascade — When an organisation is removed, all associated data (messages, media, integrations, flows, contacts) is permanently deleted across all storage layers.
Authentication & Authorization
Authentication Methods
Wexio supports multiple authentication methods to suit your security requirements. No passwords are stored on the platform — all authentication is handled through secure OAuth 2.0 providers, passkeys, or enterprise SSO. See Account Security for setup instructions.
| Method | Description |
|---|---|
| OAuth 2.0 | Sign in with Google, Microsoft, or GitHub — no password-based authentication exists, eliminating an entire class of credential attacks |
| Two-Factor Authentication (2FA) | TOTP-based 30-second codes with 10 one-time recovery codes. Failed login attempts trigger account lockout to prevent brute-force attacks |
| Passkeys / WebAuthn | Hardware security key and biometric authentication via the WebAuthn standard, providing phishing-resistant credentials |
| Enterprise SSO (SAML 2.0) | Centralised access management through your own identity provider |
Sessions
JWT access tokens (short-lived) with refresh token rotation. Database-backed sessions with 30-day expiry and device fingerprinting, ensuring that each login is tracked and can be individually revoked. Google reCAPTCHA is applied on all public-facing forms for bot detection and abuse prevention.
Role-Based Access Control (RBAC)
Every user in an organisation is assigned a role that determines their permissions. See Team Settings for role management.
| Role | Capabilities |
|---|---|
| Owner | Full access including billing, org deletion, and team management |
| Admin | Manage settings, integrations, and team members |
| Editor | Manage flows, templates, and content; limited settings access |
| Agent | Chat with contacts, view people, limited settings access |
Organisation Isolation
Every database query is automatically scoped to your organisation — users can never access data from other organisations, ensuring complete data isolation. Every GraphQL resolver is protected by layered guards: JWT authentication, organisation access, chat-level access, role verification, and plan usage limits.
Enterprise SSO (SAML 2.0)
Enterprise organisations can authenticate users through their own Identity Provider using SAML 2.0. See Account Security for SSO setup.
| Feature | Description |
|---|---|
| Supported IdPs | Okta, Azure AD (Entra ID), OneLogin, Google Workspace, Auth0, PingFederate |
| Domain mapping | Automatic IdP detection based on the user's email domain |
| SSO enforcement | Require all org members to authenticate through the configured IdP, disabling direct OAuth login |
| Auto-provisioning | New users automatically created on first SSO login with a configurable default role |
| Account linking | Existing Wexio accounts (via Google, GitHub, or Microsoft OAuth) can be linked to the organisation's SSO provider |
Input Validation & Injection Prevention
GraphQL Security
All API inputs are validated through multiple layers:
- Schema-level validation — Type checking enforced by the GraphQL schema
- DTO validation — All input fields validated with strict rules (length limits, format checks, type constraints)
- Query depth limiting — Maximum 12 levels of nesting to prevent recursive query abuse
- Introspection disabled in production — API schema not exposed to potential attackers
Injection Prevention
- NoSQL injection — All user-provided search patterns are escaped before use; no dangerous operators are exposed
- XSS protection — HTML content is filtered through strict allowlists, permitting only safe formatting tags
- Input length limits — All text inputs have maximum length constraints
Webhook Verification
All incoming webhooks from third-party providers are cryptographically verified. See Integrations for channel setup.
| Provider | Verification Method |
|---|---|
| Stripe | Signature verification with webhook secret |
| WhatsApp / Meta | HMAC-SHA256 signature verification |
| Viber | Token-based verification |
| Telegram | Bot token verification |
Rate Limiting & Spam Protection
Wexio implements a comprehensive, multi-layered rate limiting and spam protection system to protect both the platform and your end users from abuse. See Spam Protection Settings for configuration.
Rate Limiting Layers
| Layer | Scope | Limit | Purpose |
|---|---|---|---|
| Network | Per IP | 10 req/s, burst 20 | Prevents network-level DDoS |
| Request body | Per request | 10 MB JSON | Prevents oversized payloads |
| File upload | Per request | 10 MB/file, 10 files | Prevents upload abuse |
| API | Per organisation | Tiered limits | Prevents API abuse |
Inbound Spam Protection
When end users send excessive messages to your bots, Wexio automatically:
- Throttles — Silently skips processing for rapid-fire messages while still saving them to chat history
- Warns — Sends a system message asking the user to slow down
- Blocks — Temporarily or permanently blocks the user based on your organisation's settings
Messages from blocked users are still saved to the database for audit purposes — only automated processing (flows, AI) is skipped. Operators can always view the messages.
Message Deduplication
Wexio uses a unique "latest wins" deduplication system. When a user rapidly sends multiple identical messages (e.g., spamming /start), only the last message is processed — preventing duplicate flow executions and bot responses.
Outbound Spam Protection
The platform protects your end users from accidental message flooding caused by misconfigured flows or infinite loops:
Per-Chat Protection
- Loop detection — If a flow card is visited 5+ times in one execution, the flow is automatically cancelled
- Message flood cap — If a single flow execution sends 50+ messages, it's cancelled
- Rate limiting — If 30+ messages are sent to one chat within 40 seconds, outbound is paused for that chat
Organisation-Level Escalation
If 3 or more chats trigger outbound violations within 5 minutes, Wexio temporarily blocks all outbound messaging for the entire organisation for 5 minutes:
- All active flows are cancelled
- Inbound messages continue to arrive normally (no data loss)
- Operators can still view chats and read messages
- All online org members receive a real-time WebSocket notification
- Outbound automatically resumes after 5 minutes
Organisation-level blocks are designed as a safety net. They automatically expire after 5 minutes, and all block events are persisted for audit purposes.
Spam Protection Settings
Each organisation can configure their inbound spam protection behaviour:
| Setting | Options | Default |
|---|---|---|
| Spam protection | Enabled / Disabled | Enabled |
| Block mode | Throttle only / Temporary block / Permanent block | Temporary block |
| Block duration | 1–60 minutes | 5 minutes |
Rate limit thresholds and outbound protection limits are hardcoded with smart defaults and are not configurable — this ensures consistent protection across all organisations.
API Rate Limits
Public API endpoints include rate limiting with standard response headers:
X-RateLimit-Limit: 200 # Max requests in current window
X-RateLimit-Remaining: 142 # Requests left in current window
X-RateLimit-Reset: 1710453795 # Unix timestamp when window resetsWhen rate limited, the API returns 429 Too Many Requests with a Retry-After header.
File Upload Security
All file uploads go through multiple security checks:
| Protection | Description |
|---|---|
| Size limits | 10 MB per file, 10 files per request |
| Filename sanitization | Filenames are sanitized with UUID prefixes and special character replacement |
| Type validation | File types are validated against an allowlist |
| Magic bytes validation | Actual file content is verified to match the claimed MIME type — prevents disguised executables |
| Malware scanning | Files are scanned in real time by AWS GuardDuty. Infected files are automatically quarantined and deleted |
| Storage isolation | Files are stored in organisation-scoped folders |
| Signed URLs | Downloads use presigned URLs with automatic expiry |
Data Retention & GDPR Compliance
Automatic Data Retention
Wexio implements configurable data retention policies that automatically clean up old messages based on your plan and settings. A daily cleanup job runs at 3:00 AM to delete messages older than the configured period. See Database Settings for retention configuration.
Retention Limits by Plan
Retention limits depend on your plan tier:
| Plan | Default Retention | Maximum Retention | Configurable |
|---|---|---|---|
| Free | 7 days | 7 days | No |
| Standard | 30 days | 30 days | Yes |
| Pro | 90 days | 90 days | Yes |
| Enterprise | 180 days | Unlimited | Yes |
Retention Settings
Organisations on eligible plans can configure:
- Message retention period — How long messages are kept before automatic deletion
- Media retention — Whether to follow message retention or set a separate period
- Delete media with messages — Automatically remove associated media files when messages are deleted
- Preserve starred chats — Keep messages in starred chats regardless of retention policy
GDPR Compliance
Wexio is designed with privacy by design and implements key GDPR requirements:
| GDPR Article | Requirement | Implementation |
|---|---|---|
| Art. 5(1)(e) | Storage limitation | Automatic retention cleanup |
| Art. 17 | Right to erasure | Organisation deletion with full data cascade |
| Art. 25 | Privacy by design | Per-organisation encryption keys with context separation |
| Art. 32 | Security of processing | AES-256-GCM encryption for all sensitive data |
Compliance & Certifications
Wexio is committed to maintaining compliance with applicable data protection regulations and industry standards.
- GDPR — Wexio processes personal data in accordance with (EU) 2016/679. We act as a Data Processor and maintain Data Processing Agreements (DPAs) with all customers covering Article 28 requirements.
- Infrastructure certifications — All services hosted in EU (Ireland). AWS maintains SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, and PCI DSS Level 1 certifications. MongoDB Atlas is SOC 2 Type II and ISO 27001 certified.
- PCI DSS — Payment processing is fully delegated to Stripe, a PCI DSS Level 1 certified provider. Wexio does not store, process, or transmit cardholder data.
- Vulnerability management — Continuous scanning with Dependabot and Snyk, critical patches within 24 hours, annual third-party penetration tests, and an active Bug Bounty programme.
Incident Response
Wexio maintains a formal Incident Response Plan following NIST SP 800-61 guidelines, with clear procedures for detecting, containing, investigating, and recovering from security incidents.
- Documented response plan covering identification, containment, eradication, recovery, and post-incident review phases with defined severity levels and escalation paths.
- Breach notification within 72 hours to affected customers and relevant supervisory authorities as required by GDPR Article 33, including the nature of the breach, affected data, and remediation steps.
- Cross-functional incident response team with defined roles, on-call rotations, and regular tabletop exercises.
- Blameless post-mortem analysis for every security incident — root causes identified, corrective actions tracked to completion, and lessons learned incorporated into security practices.
Security Layers Overview
Wexio's security is built in five layers, each providing defence in depth:
| Layer | Components |
|---|---|
| 1. Network | TLS 1.3, CORS policy, rate limiting, security headers, DDoS protection |
| 2. Authentication | JWT tokens, refresh token rotation, OAuth2, 2FA, passkeys, SSO/SAML, session management |
| 3. Authorization | Role-based access (RBAC), organisation isolation, plan-based feature gating, resource-level permissions |
| 4. Data Encryption | Per-org HKDF-derived keys, AES-256-GCM for sensitive fields, context separation, TLS in transit |
| 5. Data Lifecycle | Automatic retention cleanup, organisation deletion cascade, audit logging, backup encryption |
Compliance Status
| Category | Feature | Status |
|---|---|---|
| Encryption | Per-org key derivation (HKDF) | ✅ |
| Encryption | AES-256-GCM with AAD binding | ✅ |
| Encryption | Context separation | ✅ |
| Infrastructure | EU-hosted (AWS, Vercel, MongoDB Atlas, Upstash) | ✅ |
| Infrastructure | Network segmentation + DDoS protection | ✅ |
| Data Isolation | Tenant-scoped queries | ✅ |
| Data Isolation | Dedicated database option (Pro/Enterprise) | ✅ |
| Retention | Configurable per org with plan-based limits | ✅ |
| Retention | Automatic cleanup scheduler | ✅ |
| Auth | OAuth2 + 2FA + Passkeys + SSO/SAML | ✅ |
| Auth | Role-based access (RBAC) | ✅ |
| Auth | Organisation isolation | ✅ |
| Network | TLS 1.2/1.3 + HSTS | ✅ |
| Network | CORS policy + security headers | ✅ |
| Validation | Input validation + injection prevention | ✅ |
| Validation | GraphQL depth limiting + introspection disabled | ✅ |
| Rate Limiting | Multi-layer rate limiting | ✅ |
| Rate Limiting | Inbound + outbound spam protection | ✅ |
| File Upload | Validation + malware scanning (AWS GuardDuty) | ✅ |
| Compliance | GDPR (DPA, storage limitation, right to erasure) | ✅ |
| Compliance | PCI DSS (via Stripe) | ✅ |
| Incident Response | NIST SP 800-61 + 72-hour breach notification | ✅ |
Security Contact
If you have security concerns, wish to report a vulnerability, or need to request security documentation (including DPA or penetration test summaries), please contact our security team at security@wexio.io.