Whatagraph Security Policy

This security policy is applicable from May 24’th, 2024.

Security and Trust

Keeping your data safe and secure is paramount. We adopt industry-standard design-led approaches to security at all levels from the way we design our software, its deployment, maintenance, monitoring, and platform architecture, and operational standards. At all times you retain control over the data Whatagraph has access to and the transactions that occur and at any time can request a deletion of all personal data. With this goal in mind, our systems have been developed from scratch, adhering to the highest standards of security and data protection best practices.

In pursuit of our commitment to security, we have built our systems from the ground up, adhering to the best practices in security and data protection:

  1. Access to information resources is granted according to an individual’s role and the data classification. Each employee uses a unique password with a minimum of 8-10 symbols to log into their account, which is secured with 2-step verification. To ensure the highest level of data protection, passwords must be changed to a new one every 6 months. 
  2. We encrypt data using AES-256 encryption. 
  3. We obtain your data through third-party data integrations and create backup copies. These copies are retained for a specified period or until they are no longer relevant, after which they are deleted.


Whatagraph’s three basic pillars of information security are confidentiality, integrity, and availability:

ConfidentialityConfidentiality is a property ensuring that information managed by information technology and systems is accessible only to authorized individuals. Access is granted following proper identification and only at permitted times and through approved methods. This principle protects sensitive information from unauthorized disclosure.
IntegrityIntegrity refers to the assurance that information managed by information systems and technology remains valid, accurate, and complete. It ensures that the content, as provided by the stakeholders, remains unaltered and free from unauthorized manipulation. Only authorized individuals have the privilege to modify the information, safeguarding its authenticity and trustworthiness.
AvailabilityAvailability ensures that information and systems are accessible and usable on demand by authorized and verified users. This principle guarantees that information technology and systems provide continuous access to information, even in the face of anticipated disruptions, ensuring the information's persistence and the system's reliability

Contact security@whatagraph.com  if you have any questions or feedback.

User processed data

Whatagraph is committed to the security of the data you process with us. To that end, we have created our systems from the ground up based on security and data protection best practices 

We may store integration data on our servers to improve the deliverability of data with the service.

We keep your user access tokens to enable data retrieval upon your request or according to your schedules. Additionally, we may hold onto information like custom field metadata or account names and details when such data is necessary for the operation of the data source integration.

Please see our Terms and Conditions and Privacy Policy for more details.


Whatagraph requires users to give access to read the data from data sources, e.g. Facebook Ads and Google Ads APIs. Where possible, we will make use of OAuth access tokens. By this mechanism, the user grants access to the data through the data source service and we receive a token by which we access and retrieve the data. Every user can request to revoke the tokens and remove usage data by contacting customer support via email customersupport@whatagraph.com.

Whatagraph only ever requires the minimum amount of permission to read the data. We will only ever access your data on your instructions. Where a data source gives us more than read-only access due to the nature of the data source, Whatagraph will never make use of those permissions.

Website, account management, and purchases

All interactions with our services, including access to our web portal, account management system, and any transactions, are securely encrypted by default using standard cryptographic protocols (TLS 1.2 or higher). If there's an attempt to connect via an unencrypted channel (HTTP), it is automatically redirected to a secure, encrypted channel (HTTPS).

All payment instrument processing is safely outsourced to Braintree, which is certified as a PCI Level 1 Service Provider. We do not collect any payment information and are therefore not subject to PCI obligations.

We monitor and protect our network, to make sure no unauthorized access is performed using:

  • A virtual private cloud (VPC), a bastion host or VPN with network access control lists (ACL’s), and no public IP addresses.
  • A firewall that monitors and controls incoming and outgoing network traffic.
  • An Intrusion Detection and Prevention technologies (IDS/IPS) solution that monitors and blocks potential malicious packets.
  • A Web Application Firewall (WAF) to protect our applications, increase visibility, and secure code.
  • IP address filtering.

We also use Distributed Denial of Service (DDoS) mitigation services powered by an industry-leading solution.

Cloud Infrastructure

All of our services run in the cloud. We do not host or run our own routers, load balancers, DNS servers, or physical servers. Whatagraph uses leading cloud providers to process your data. Google Cloud Platform and Amazon Web Services are our providers of choice and both organizations have excellent compliance and regulatory audits including SOC 1/2-3, PCI-DSS, and ISO27001.

Documents on Google Cloud Platform and Amazon Web Services certifications can be obtained directly from Google and Amazon respectively.

GDPR compliance and data sovereignty

Whatagraph is compliant under the General Data Protection Regulation (GDPR). Your data is processed in the European Union. Any transfer to a third country is guaranteed under GDPR rules.

Company policies

Whatagraph requires that all employees comply with security policies designed to keep any and all user information safe and address multiple security compliance standards, rules, and regulations. We ensure that all employees are immediately trained on our security policies and at the very least annually conducted after that.

Incident Response Plan

Whatagraph has adopted a comparative incident management procedure. It includes steps of incident detection, response, recovery, and post-incident analysis to mitigate and prevent security breaches. 

For more information about our security policies please contact security@whatagraph.com.

This security policy is applicable from May 24’th, 2024.