Cloud API Architecture
Since October 2025, WhatsApp Business Platform runs on Cloud API. At a high level:
- Businesses send messages through Meta Graph API
- Businesses receive events through webhooks
- Meta Cloud API acts as the managed messaging intermediary between business systems and WhatsApp transport
Encryption Model
WhatsApp messaging uses the Signal protocol for encryption. Cloud API also applies standard platform security controls:
- Data in transit —
HTTPS+TLS - Data at rest — encrypted storage on Meta infrastructure
Security boundary:
- WhatsApp transport does not expose message content to WhatsApp operators.
- Cloud API processes message content to provide platform functionality on behalf of the business.
Message Flow
User to Business
- User sends a message.
- Message is encrypted in transit to Cloud API.
- Cloud API processes and decrypts for delivery to the business webhook.
- Data is temporarily retained for core platform functionality (e.g. retries and retransmissions).
Business to User
- Business sends message request to Cloud API.
- Cloud API temporarily stores and processes for delivery and reliability.
- Cloud API encrypts for destination delivery.
- WhatsApp transport delivers to the user client.
In Dualhook setups, inbound messages arrive at your endpoint via Webhook Override. Outbound messages are sent directly from your backend to Meta Graph API.
Local Storage (Data Residency)
Cloud API supports local storage for message data at rest in selected regions. This is useful for businesses with regulatory or residency requirements.
Data localized by Local Storage can include:
- Incoming and outgoing messages
- Text, media, and template payloads
- Limited metadata needed for linkage and auditing
Supported Regions (as of February 2026)
| Region | Countries |
|---|---|
| APAC | India, Singapore, Indonesia, South Korea, Japan, Australia |
| LATAM | Brazil |
| MEA | South Africa, Bahrain |
| Europe | EU (Germany), UK, Switzerland |
| North America | Canada |
Region availability can change. Always validate against current Meta documentation before rollout.
Enabling Local Storage
- Request Local Storage for a specific WABA through support.
- Specify target storage region.
- Confirm change with the PIN sent to the WABA phone number.
- Verify data location after activation.
Rollback to default region typically requires a support request as well.
Stored and Collected Data
Cloud API stores and processes operational data needed for platform behavior. Published guidance describes temporary message retention up to 30 days for core functionality (such as retries and retransmissions).
Business identity and config data is managed in Meta business systems. Consumer identifiers used for delivery are processed for message routing.
GDPR and Shared Responsibility
Meta provides platform controls and documentation to support compliance. Each business remains responsible for its own legal compliance obligations (GDPR and other applicable laws).
Platform security controls do not replace your internal privacy, access-control, and retention policies.
Dualhook Security Model
Dualhook follows a stricter privacy boundary than what Cloud API requires:
- Message content is routed directly from Meta to your webhook endpoint via Webhook Override.
- Dualhook does not proxy or store message bodies or media.
- Dualhook stores only operational metadata needed for setup, monitoring, and compliance features.
See Compliance & Data Retention for retention windows and export options.
Operational Security Checklist
- Protect access tokens and rotate them on schedule.
- Validate webhook signatures (
X-Hub-Signature-256) and enforce HTTPS. - Use least-privilege roles for Meta portfolio and system users.
- Enable and manage two-step verification on business numbers.
- Monitor quality, account alerts, and security-related webhook events.
- Keep clear audit trails for template changes, number ownership, and webhook endpoint changes.