Security / TOMs
Effective date: June 30, 2026
1. Security Program
Dualhook applies practical security controls appropriate for a small self-serve SaaS. Measures are reviewed as the service evolves and may be updated if the overall level of protection is not materially reduced.
Dualhook does not currently publish independent security attestations, a formal uptime SLA, or a commitment that all processing stays in one country or region.
2. Access Control
- Authentication is handled through Clerk.
- Dashboard access is scoped to the user's authenticated organization.
- Organization-scoped records are queried and updated with organization identifiers.
- Platform API keys are generated once, displayed once, and stored as SHA-256 hashes with a limited display prefix.
- Secret reveal events are logged for sensitive connection secrets.
3. Encryption and Secrets
- Production traffic is served over HTTPS/TLS through the hosting platform.
- Connection secrets such as Meta access tokens and webhook verify tokens are encrypted at the application layer using AES-256-GCM with a master key from environment configuration.
- Partner API keys are stored as hashes, not as plaintext.
- Support attachments are stored as private Vercel Blob objects and are served through authenticated access checks.
4. Data Minimization
Dualhook is designed around direct webhook routing. In the standard Webhook Override flow, message-path traffic is routed from Meta to the customer endpoint configured in Dualhook. Dualhook stores operational metadata needed for setup, monitoring, support, billing, security, and auditability.
Webhook logs and health checks can be retained for 7, 30, or 90 days according to the organization's Compliance settings. Support attachment blobs are deleted 7 days after ticket closure.
5. Application Controls
- Webhook endpoint validation rejects unsafe local, private, loopback, link-local, metadata, documentation, and otherwise non-public targets where the validation path applies.
- Platform API endpoints use scoped rate limits.
- Customer webhook delivery includes trace IDs and delivery status metadata for troubleshooting.
- The Platform API supports signed event webhooks for partner lifecycle events.
- Operational email delivery uses idempotency keys for duplicate-prone lifecycle and alert sends.
6. Logging and Monitoring
- Webhook delivery metadata, health-check snapshots, connection alerts, email delivery logs, secret reveal events, and support tickets are logged for operational purposes.
- Admin and support workflows use organization and ticket scoping.
- Errors and abuse signals are recorded for troubleshooting, fraud prevention, and service protection.
- Logs are intended for operational metadata and should not be used by customers as a message-content storage system.
7. Subprocessors
Dualhook uses subprocessors for authentication, hosting, database, email, analytics, storage, and billing as listed on the Subprocessors page. Subprocessor terms and provider controls supplement Dualhook's own measures.
8. Incident Handling
If Dualhook becomes aware of a personal data breach affecting customer personal data processed under the DPA, Dualhook will notify affected customers without undue delay and provide information reasonably available at the time.
Suspected security issues can be reported to contact@dualhook.com.
9. Customer Responsibilities
- Use strong authentication practices for your users and remove access that is no longer needed.
- Protect webhook endpoints, verify tokens, API keys, Meta credentials, and downstream systems.
- Configure retention, exports, and downstream tooling to match your own legal and security obligations.
- Review Meta / WhatsApp policy requirements, end-user notices, opt-ins, and lawful basis for your messaging use cases.