Compliance & Data Retention

Privacy boundary, configurable retention, CSV export, and organization isolation.

Looking for the high-level overview first? Start with WhatsApp API Privacy and then return here for the implementation details.

Privacy Boundary

Dualhook enforces a strict metadata-only boundary for operations:

  • No message body storage — message content routes directly from Meta to your endpoint via Webhook Override.
  • No WhatsApp media binary storage — Dualhook does not proxy or retain WhatsApp media files in the standard Webhook Override flow.
  • No conversation archive — Dualhook does not maintain a record of message threads.

Only operational metadata needed for setup, monitoring, and compliance features is stored. This includes webhook delivery logs, health check snapshots, template management records, and connection configuration.

Configurable Retention

Organization admins can set retention windows for webhook logs and health checks:

WindowUse case
7 daysMinimal retention for lean operations
30 daysStandard operational window
90 daysExtended retention for audit and compliance

Records older than the configured retention policy are purged automatically. Retention settings apply per organization and can be adjusted at any time from the Dualhook dashboard.

CSV Export

Dualhook supports CSV export of webhook logs for audits and incident analysis.

Current CSV columns:

ColumnDescription
idInternal log record ID
event_typeWebhook event type
delivery_statusDelivery outcome (delivered, failed, pending)
waba_idWhatsApp Business Account ID
phone_number_idPhone number ID
trace_idDualhook trace identifier
received_atTimestamp when event was received
delivered_atTimestamp when event was forwarded
error_messageError details (if applicable)

Organization Isolation

All compliance settings and exported data are organization-scoped. One organization cannot access another organization's logs, settings, or connection data.

This isolation extends to all Dualhook features: webhook logs, health checks, template management, and connection configuration are fully partitioned by organization.

The same organization boundary also applies to in-app support conversations. Support tickets are attached to the workspace that created them, which helps keep operational context and access controls aligned.

For architecture and security details, see Architecture & Security. For formal legal terms, see the Privacy Policy, DPA, Subprocessors, and Security / TOMs. For account health management, see Maintain Account Health. For the support workflow itself, see Support, Contact, and Bug Reports.

Related

Browse more docsStart Free Trial