GDPR, Security and Privacy for WhatsApp Business

tyntec's API for WhatsApp Business solution is GDPR compliant and secure with WhatsApp's renowned end-to-end encryption, tyntec's Germany-based datacenters, and enterprise-grade security.

Show Documentation

Stay Compliant with GDPR

With 15+ years of experience in enterprise messaging, tyntec has maintained strict adherence to enterprise-grade governance and security requirements. Also, tyntec's datacenters are based in Germany and fully comply with GDPR.

End-to-End Encryption

Messages between your servers and tyntec’s servers are end-to-end encrypted via HTTPs. This means, even WhatsApp cannot read or decrypt any conversations between you and your users.

Hosted in Europe

We host our data centers and network infrastructure in-house in Germany, allowing us to monitor and control our own network without relying on a third party provider. 

Secure Data Processing

The phone numbers provided by your business are translated to a routing ID within tyntec’s data centers before being transmitted to WhatsApp's network for message delivery.

Strict Data Protection

No messages or media assets are archived on tyntec's side, and the WhatsApp Business API doesn't access the users phones or their address books. This ensures compliance with strict data protection standards.

Secure Transmission

tyntec offers multiple secure transmission options, such as VPN tunnels or TLS. These safeguards protect messages throughout their transmission journey without the risk of exposure.

Penetration Testing

tyntec’s systems are regularly tested with routine penetration tests and automated vulnerability scans, performed by certified penetration testers. 

End-to-End Encryption

Messages on the WhatsApp Business solution are encrypted from tyntec to the device, and secured over HTTPS from your application to tyntec. WhatsApp cannot read or decrypt any shared content.


GDPR & Security Guide

In the WhatsApp Business API Security Guide, you’ll learn:

  • WhatsApp Business Solution's Compliance with GDPR
  • Data Protection and Storage
  • Data Processing
  • End User Opt-in and Opt-out
  • tyntec’s Security

Your Questions Answered

  • Is personal data being stored on European servers?

    Facebook operates a global infrastructure and processes data in both EU and US-based servers. WhatsApp stores data in the United States and stores encrypted media worldwide to increase efficiency.


    This processing is supported by strict legal compliance for safeguarding any transfers of personal data outside of the EU. WhatsApp has certified for cases in which it acts as a data Processor under Privacy Shield, as explained further in its Privacy Shield Addendum and certification.

  • Where is a client's customer data being stored?

    Clients are responsible for storing their own customer contacts and messages. WhatsApp does not store this data for any longer than necessary to route and deliver messages. If a message cannot be delivered immediately, we may keep it on our servers for up to 30 days as we try to deliver it.


    If a message is still undelivered after 30 days, we delete it. To improve performance and deliver media messages more efficiently, we may retain them on our servers for a longer period of time.

  • What is tyntec’s role in data privacy, security, and GDPR compliance?

    Security is a priority for both WhatsApp and tyntec. Data privacy, data storage, and secure transmission are meant to identify security flaws and adhere to GDPR and other regulations.


    WhatsApp has provided full encryption to personal communications — and will also extend this feature to businesses. In addition, media and messages are only stored for delivery and deleted after 7/30 days respectively. 

  • How should I implement opt-in for WhatsApp?

    WhatsApp expects businesses to be upfront and transparent with their customers about how the platform will be used to deliver notifications and messages to them—and exactly what these messages will contain. Opt-in, therefore, plays a crucial role in setting up your service.


    First, the customer can only give their consent via a 'third party channel', an opt-in form on one of the business's existing communications channels, such as email, website, SMS, app, dedicated landing page, etc. Opt-ins should be active, meaning that the customer must actively show their consent by entering/editing a phone number or by checking a box.

    Secondly, businesses must be clear on what customers are signing up to—and what type of information they will receive once they have consented.


    Find more information about how to implement opt-in here.

  • Does WhatsApp see itself as a Data Controller, Data Processor or both?

    Both - depending on the circumstances. Below, we've outlined details about WhatsApp's role in each of these designations.


    • Data controller: With respect to consumer end users of WA Messenger, WhatsApp acts as a data controller, as set forth in the privacy policy applicable to WA Messenger consumer end users.
    • Data processor: Each Client is a data Controller of its customer contacts. When the Client provides its customer contacts to WhatsApp via the WhatsApp Business Solution, WhatsApp is a data Processor of those customer contacts, and processes those customer contacts for the purpose of delivering the client's WhatsApp messages to those customers.


    Our Data Processing Terms align with GDPR requirements governing contracts between data controllers and data processors.

Customer References October 2019