Security

Security at Wexio

Enterprise-grade security measures to protect your data, communications, and customer relationships.

Last updated: March 31, 2026

Your Data, Protected

AES-256 EncryptedGDPR CompliantTLS 1.3

At Wexio, security is not an afterthought - it is a foundational principle embedded into every layer of our architecture, operations, and culture. We understand that you entrust us with sensitive business communications and customer data, and we take that responsibility seriously.

This page describes the technical, organisational, and procedural safeguards we employ to protect the confidentiality, integrity, and availability of your data. Our security practices are designed to meet or exceed the requirements of the General Data Protection Regulation (GDPR), the ePrivacy Directive, and other applicable data protection frameworks.

We continuously evaluate and improve our security posture through regular audits, penetration testing, vulnerability scanning, and incident response exercises. If you have security concerns or wish to report a vulnerability, please contact us at security@wexio.io or visit our Bug Bounty programme.

1. Encryption & Key Management

Wexio employs a multi-layered encryption system with per-organisation, per-context key derivation using HKDF (RFC 5869) with SHA-512. Each encryption context (integrations, AI, authentication, webhooks) uses a separate base key, and each organisation receives its own derived key - ensuring complete cryptographic isolation between tenants.

AES-256-GCM encryption for all sensitive data at rest with 96-bit IVs and 128-bit authentication tags (NIST-recommended parameters).
Additional Authenticated Data (AAD) binds each ciphertext to its organisation and context, preventing context confusion attacks where encrypted data could be moved between organisations.
TLS 1.3 enforced on all connections with HSTS headers and modern cipher suites. Certificate pinning on critical API communications.
Encryption keys managed through AWS KMS with automatic rotation. Access restricted to authorised personnel with multi-factor authentication.
Separate encryption contexts for AI integrations, Telegram tokens, webhook secrets, authentication tokens and system-level settings - a compromise in one context does not affect others.

2. Infrastructure Security

Our infrastructure is hosted on enterprise-grade cloud platforms with robust physical and network security controls. All infrastructure components are deployed in compliance with SOC 2 Type II and ISO 27001 certified environments.

Amazon Web Services (AWS) - Primary cloud infrastructure provider, operating in the EU (Ireland, eu-west-1) region. AWS maintains SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, and PCI DSS Level 1 certifications.
Vercel - Edge hosting and serverless compute for the web application, with the default region set to EU (Ireland, dub1). Global CDN distribution with automatic DDoS protection and Web Application Firewall (WAF).
MongoDB Atlas - Managed database cluster hosted in EU (Ireland) with SOC 2 Type II and ISO 27001 certifications. Automated backups, encryption at rest, and network-level access controls.
Upstash Redis - Serverless Redis hosted in EU (Ireland) for rate limiting, caching, and session management. Data encrypted at rest and in transit.
Network Segmentation - Production, staging, and development environments are strictly isolated using Virtual Private Clouds (VPCs) with granular security group rules. No direct internet access to backend services.
DDoS Protection - Multi-layer DDoS mitigation through AWS Shield and Vercel's edge network, with automatic traffic scrubbing and rate limiting at the edge.
Continuous Monitoring - Real-time infrastructure monitoring with automated alerting for anomalous activity, resource utilisation, and security events using CloudWatch and custom dashboards.

3. Network Security

Wexio enforces strict network security controls at every layer - from edge CDN through application servers to backend services. All traffic is encrypted, origin-restricted, and rate-limited before reaching application logic.

CORS policy enforcement - only requests from trusted *.wexio.io origins (regex-matched at any subdomain depth and port) and localhost development ports are accepted. All other origins are rejected in production and staging.
TLS 1.2/1.3 on all connections with HSTS (max-age=31536000; includeSubDomains). HTTP requests are automatically redirected to HTTPS at the Nginx reverse proxy level.
Security headers via Helmet and Nginx - Strict-Transport-Security, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, and Cross-Origin-Resource-Policy: cross-origin applied to all responses.
WebSocket security - GraphQL subscriptions use WSS (encrypted WebSocket) with the same JWT authentication as HTTP requests, preventing unauthenticated real-time connections.
Content Security Policy (CSP) on the public website restricts script sources, image origins, and connection targets to known Wexio domains.

4. Data Isolation & Multi-Tenancy

All organisations share a common platform by default, with strict logical isolation at the database level. For customers with advanced compliance requirements, Pro and Enterprise plans offer the option to provision a completely dedicated MongoDB database and Redis instance for full physical data separation.

Tenant-scoped queries - a middleware layer automatically injects the authenticated organisation ID into every database operation, preventing cross-tenant data leakage even in the event of application-level bugs.
Dedicated database option (Pro & Enterprise) - organisations can migrate to a physically isolated MongoDB instance and/or Redis, with full data migration or fresh-start modes and the ability to migrate back to shared infrastructure.
Environment separation - production, staging and development environments are completely isolated. Testing never uses production data. Automated tests validate isolation boundaries.
Organisation deletion cascade - when an organisation is removed, all associated data (messages, media, integrations, flows, contacts) is permanently deleted across all storage layers.

5. Authentication & Authorization

Wexio supports multiple authentication methods including OAuth 2.0, two-factor authentication, passkeys, and enterprise SSO. No passwords are stored on our systems. User sessions are managed with cryptographically signed, time-limited tokens with automatic refresh rotation.

OAuth 2.0 providers - Google, Apple, Microsoft and GitHub. No password-based authentication exists, eliminating an entire class of credential attacks.
Two-factor authentication (2FA) - TOTP-based 30-second codes with 10 one-time recovery codes. Failed login attempts trigger account lockout to prevent brute-force attacks.
Passkeys / WebAuthn - hardware security key and biometric authentication support via the WebAuthn standard, providing phishing-resistant credentials.
JWT access tokens (short-lived) with refresh token rotation. Database-backed sessions with 30-day expiry and device fingerprinting.
Role-based access control (RBAC) - Owner, Admin and Agent roles with granular permissions. Every GraphQL resolver is protected by layered guards: JWT authentication, organisation access, chat-level access, role verification and plan usage limits.
Google reCAPTCHA on all public-facing forms for bot detection and abuse prevention.

6. Enterprise SSO (SAML 2.0)

Enterprise organisations can authenticate users through their own Identity Provider using SAML 2.0, providing centralised access management, automatic provisioning and de-provisioning, and the ability to enforce SSO for all organisation members.

SAML 2.0 support with leading identity providers - Okta, Azure AD (Entra ID), OneLogin, Google Workspace, Auth0 and PingFederate.
Per-organisation SSO configuration with email domain mapping for automatic IdP detection based on the user's email address.
SSO enforcement mode - require all organisation members to authenticate through the configured IdP, disabling direct OAuth login.
Auto-provisioning - new users are automatically created on first SSO login with a configurable default role. Existing accounts can be linked to SSO.
Account linking - users with existing Wexio accounts (via Google, GitHub or Microsoft OAuth) can link their account to the organisation's SSO provider.

7. Input Validation & Injection Prevention

Wexio applies defence-in-depth input validation from the GraphQL schema layer through application-level validators to database query sanitization, preventing injection attacks and data corruption at every entry point.

Global ValidationPipe with class-validator decorators on all DTOs - @IsString(), @MaxLength(), @IsEmail(), @Matches(), @ValidateNested() and more. Invalid input is rejected before reaching business logic.
GraphQL query depth limiting (max 12 levels) via graphql-depth-limit prevents recursive query abuse and denial-of-service through deeply nested queries.
GraphQL introspection disabled in production - the schema is not exposed to attackers. Debug mode disabled in production to prevent error detail leakage.
NoSQL injection prevention - all user-provided regex patterns are escaped via escapeRegex() before use in MongoDB $regex operators. No $where or $function operators are exposed to users.
XSS sanitization - HTML allowlists for Telegram messages and AI copilot streaming output. Only safe tags (b, strong, i, em, a, code, pre) pass through; all others are stripped.
Webhook signature verification - Stripe (constructEvent), WhatsApp/Meta (HMAC-SHA256), Viber (token verification) and Telegram (bot token) webhooks are cryptographically verified before processing.
Environment variable validation at startup using Joi schema - application fails fast if any required configuration is missing or invalid.

8. File Upload & Malware Protection

Every file uploaded to Wexio passes through multiple validation layers before storage and is scanned for malware using AWS GuardDuty before becoming accessible. Files are stored in organisation-scoped S3 folders with signed URL access.

File size and count limits - 10 MB per file, maximum 10 files per request. Nginx enforces a 20 MB total body size limit at the reverse proxy level.
Magic bytes validation - the file-type library verifies that actual file content matches the claimed MIME type, preventing disguised executables from being uploaded as images or documents.
Filename sanitization - uploaded filenames are prefixed with UUIDs and special characters are replaced with underscores, preventing path traversal and injection attacks.
Malware scanning - all files are scanned in real time by AWS GuardDuty using anti-malware signatures and heuristic analysis. Infected files are automatically quarantined and deleted.
Organisation-scoped storage - files are stored in isolated S3 folders per organisation. Downloads are served via presigned S3 URLs with configurable expiry.

9. Spam & Abuse Protection

Wexio implements a multi-layer spam protection system that guards against both inbound abuse (users flooding bots) and outbound abuse (misconfigured flows sending excessive messages). The system uses Redis-based rate limiting with intelligent escalation.

Inbound rate limiting - sliding window counters per chat (20 messages per 5 seconds, 60 per minute) with automatic escalation from throttling to temporary or permanent blocking based on violation frequency.
Message deduplication - a "latest wins" mechanism ensures that rapid-fire duplicate messages (e.g. spamming /start) only trigger one flow execution, reducing wasted compute and preventing duplicate bot responses.
Outbound flow protection - loop detection halts flows that visit the same card 5+ times; message flood detection cancels flows exceeding 50 messages per execution; per-chat outbound rate limits pause delivery at 30 messages per 40 seconds.
Org-level escalation - when 3+ different chats trigger outbound violations within 5 minutes, all outbound for the organisation is paused for 5 minutes while inbound messages continue to arrive without data loss.
API rate limiting - per-organisation limits (10/second burst, 200/minute sustained) with standard rate-limit headers and 429 responses. Per-channel broadcast limits respect platform API constraints (Telegram 30/sec, WhatsApp 80/sec, Viber 500/sec).

10. Data Retention & GDPR

Wexio implements configurable data retention policies that automatically delete messages and associated media after a defined period. Retention limits are enforced by plan tier, with a daily automated cleanup process.

Plan-based retention limits - Free: 7 days, Basic: 30 days, Standard: 30 days (configurable), Pro: 90 days (configurable), Enterprise: unlimited (configurable).
Automatic daily cleanup at 03:00 UTC - expired messages, associated media and reactions are permanently deleted. Organisations can optionally preserve starred chats.
Manual cleanup trigger available to organisation owners for immediate GDPR compliance needs (right to erasure, Art. 17).
GDPR Article 5(1)(e) storage limitation, Article 17 right to erasure, Article 25 privacy by design (per-org encryption keys), and Article 32 security of processing (AES-256-GCM) - all implemented.

11. Compliance & Certifications

Wexio is committed to maintaining compliance with applicable data protection regulations and industry standards. We regularly review our practices against evolving regulatory requirements.

GDPR - Wexio processes personal data in accordance with (EU) 2016/679. We act as a Data Processor and maintain Data Processing Agreements (DPAs) with all customers covering Article 28 requirements.
Infrastructure - All services hosted in EU (Ireland). AWS maintains SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018 and PCI DSS Level 1 certifications. MongoDB Atlas is SOC 2 Type II and ISO 27001 certified.
PCI DSS - Payment processing is fully delegated to Stripe, a PCI DSS Level 1 certified provider. Wexio does not store, process or transmit cardholder data.
Vulnerability Management - Continuous scanning with Dependabot and Snyk, critical patches within 24 hours, annual third-party penetration tests, and an active Bug Bounty programme.

12. Incident Response

Wexio maintains a formal Incident Response Plan following NIST SP 800-61 guidelines, with clear procedures for detecting, containing, investigating and recovering from security incidents.

Documented response plan covering identification, containment, eradication, recovery and post-incident review phases with defined severity levels and escalation paths.
Breach notification within 72 hours to affected customers and relevant supervisory authorities as required by GDPR Article 33, including the nature of the breach, affected data and remediation steps.
Cross-functional incident response team with defined roles, on-call rotations and regular tabletop exercises.
Blameless post-mortem analysis for every security incident. Root causes identified, corrective actions tracked to completion and lessons learned incorporated into security practices.

Security Contact

If you have security concerns, wish to report a vulnerability, or need to request our security documentation (including DPA or penetration test summaries), please contact our security team:

Wexio LLC

Email: security@wexio.io

For vulnerability reports, please visit our Bug Bounty page.