Meta-Approved Instagram Integration
Waveloop is a Meta Tech Provider. Every Instagram action your account performs through Waveloop goes through Meta's official Graph API, with the scopes you explicitly authorize via the standard Meta OAuth 2.0 login flow. We never ask for, store, or transmit your Instagram password.
- No browser automation or unofficial Instagram clients
- No scraping or reverse-engineering of Instagram interfaces
- Respect for Meta's rate limits (e.g., 200 DMs/hour, 24-hour messaging window)
- You can revoke Waveloop's access at any time from your Instagram settings
Encryption
- In transit: TLS 1.2+ for all traffic between browsers, our application, and third-party services
- At rest: industry-standard encryption (AES-256) for databases, backups, and object storage
- Secrets: API keys and credentials are stored in an encrypted secrets manager, never in source code
- Passwords: hashed with bcrypt using strong salt rounds; we never store plaintext passwords
Infrastructure
- Hosted on enterprise-grade cloud infrastructure with regional redundancy
- Network segmentation, firewalls, and managed intrusion detection
- High-availability database with automated, encrypted backups
- Continuous logging and monitoring for security and availability events
- Standard patch management for OS, application, and dependency vulnerabilities
Access Control
- Least-privilege access — only a small set of engineers can access production data, and only when required for support or operations
- Multi-factor authentication required for all administrative access
- Single sign-on, audit logging, and periodic access reviews
- Production access is time-bound and revoked when an engineer's role changes
Application Security
- Secure software development lifecycle with peer code review on every change
- Automated dependency vulnerability scanning
- Protections against common web vulnerabilities (CSRF, XSS, injection)
- Periodic security reviews, including third-party penetration testing as we scale
Incident Response
We maintain a documented incident response procedure that covers detection, triage, containment, eradication, recovery, and post-incident review. In the event of a personal data breach, customers will be notified without undue delay and in any event within 72 hours of confirmation, in accordance with our Data Processing Agreement.
Backups & Disaster Recovery
- Automated, encrypted database backups taken regularly and tested for restorability
- Geographic redundancy for critical data
- Defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets reviewed periodically
Vendor & Sub-processor Security
We rely on a small set of carefully selected sub-processors (cloud hosting, payments, email, analytics). Each is bound by data-protection obligations equivalent to those in our DPA. The current list and notification process are in the DPA.
Privacy & Compliance
- GDPR-aware practices for users in the EEA, UK, and Switzerland
- CCPA/CPRA rights for California residents
- Alignment with India's Digital Personal Data Protection Act, 2023
- Standard Contractual Clauses for international data transfers where applicable
- No sale of personal data; no training of AI models on customer DM content
Responsible Disclosure
If you believe you've discovered a security vulnerability in Waveloop, please report it privately to [email protected]. We'll acknowledge receipt within two business days, work with you on a fix, and credit researchers who report in good faith and follow standard responsible-disclosure practice. Please do not test on accounts you don't own and do not access, modify, or delete data belonging to other users.
Contact
General questions: [email protected]
Security reports: [email protected]
Security is an ongoing program. We continue to invest in formal certifications (e.g., SOC 2, ISO 27001) as we scale.