Security

Built to keep your business safe

Security is a core design principle at OtomoAI — from the messaging APIs we chose, to how we store your data, to how we handle webhooks. This page explains our current security posture.

Last updated: June 2026

Built on official APIs, not workarounds

The single biggest risk for businesses using WhatsApp automation is getting their number permanently banned. It happens when tools use unofficial methods — browser automation, reverse-engineered clients, or unapproved third-party libraries.

OtomoAI uses the official WhatsApp Cloud API, operated through Meta's Business Solution Provider programme. This is the same API Meta built for enterprise businesses. We also use the official Telegram Bot API for Telegram channels. We do not use unofficial automation, web-scraping, or unapproved tools.

  • Meta-approved WhatsApp Cloud API — your number is registered correctly with Meta, not running through a workaround.
  • Telegram Bot API — official Telegram infrastructure, fully supported and stable.
  • No browser automation or WhatsApp Web scraping — the most common cause of permanent number bans.
  • Your WhatsApp Business Account remains under your control at all times.

Messaging compliance

Compliance protects your customers and keeps your account in good standing with Meta and Telegram. We build these rules into every chatbot we deploy.

  • Opt-in conversations only — we never initiate contact with people who have not messaged your business first.
  • WhatsApp 24-hour window — proactive messages outside the customer-service window use only Meta-approved message templates, as required by WhatsApp policy.
  • No cold-blasting or spam — mass unsolicited outreach is not a feature we offer or support.
  • Rate limiting — message sending is throttled to stay within Meta and Telegram platform rate limits.
  • Full adherence to Meta's Business Messaging Policy and Telegram's Bot API Terms of Service.

Infrastructure and network security

  • HTTPS everywhere: all traffic is encrypted in transit using TLS 1.3. HTTP requests redirect to HTTPS automatically.
  • Cloudflare edge: the platform runs behind Cloudflare, providing DDoS mitigation, WAF protection, and rate limiting at the network edge.
  • Serverless API: backend logic runs as isolated Cloudflare Pages Functions — no persistent server process reduces the attack surface.

Authentication and access control

  • JWT authentication: all API requests are authenticated with short-lived JSON Web Tokens issued by Supabase Auth.
  • Multi-factor authentication (MFA): TOTP authenticator app MFA is available and strongly recommended for all accounts.
  • OAuth 2.0: Google sign-in uses the standard authorisation code flow — we never receive or store your Google password.
  • Row-Level Security (RLS): Supabase RLS policies enforce data isolation at the database layer.
  • Service role isolation: the Supabase service role key is used exclusively server-side and is never exposed to the browser.

Data encryption

  • In transit: all data between your browser, our API, and third-party services is encrypted with TLS 1.3.
  • At rest: data stored in Supabase (PostgreSQL) is encrypted at rest using AES-256 managed by the cloud provider.
  • Secrets management: API keys, webhook secrets, and credentials are stored as encrypted environment variables in Cloudflare — never hardcoded in source.

Webhook and API security

  • HMAC signature verification: all inbound webhooks (payment callbacks, etc.) are verified with HMAC-SHA256 signatures before processing.
  • Outbound webhook signing: outbound requests to internal systems are signed with HMAC-SHA256 to prevent tampering.
  • Rate limiting and pagination bounds: API endpoints enforce rate limits and capped pagination to prevent abuse.
  • Idempotency keys: payment and booking operations use idempotency controls to prevent duplicate processing.

Monitoring and incident response

  • Error tracking: Sentry monitors application errors and performance anomalies in real time.
  • Audit logging: security-relevant events (logins, permission changes, payment actions) are written to immutable audit logs.
  • Incident response: we maintain an internal incident response process. Critical security issues are prioritised for same-day remediation.

Compliance

  • PDPA Malaysia: we process personal data in accordance with Malaysia's Personal Data Protection Act 2010. See our Privacy Policy for full details.
  • OWASP Top 10: our development and security review processes follow OWASP Top 10 guidelines.
  • Dependency management: third-party dependencies are regularly reviewed and updated to address known vulnerabilities.

Read the Privacy Policy

Responsible disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue, please report it privately before making it public so we have time to investigate and remediate.

Report a vulnerability

Email: enquiry@otomoai.com.my

Subject: [Security Report] Brief description

We commit to acknowledging your report within 72 hours and providing a resolution timeline. We will not take legal action against researchers who act in good faith.