Reliable by design.
Secure by nature.
Your trust is our most valuable asset. Hooki is built on a modern architecture that protects your data and your clients' data at every stage.
Advanced Encryption
Encrypted disk on servers (at-rest encryption). AES-256 — banking standard — for WhatsApp credentials. No sensitive data is stored in plaintext.
EU Infrastructure
All servers are in certified European Union datacenters. Full GDPR compliance. Public DPA available to sign.
Per-Client Isolation
Each client operates in a completely separate logical environment. Isolation is enforced by the database engine itself: structurally impossible to read another client's data.
We don't collect what we don't need.
Precise technical choices, not just written policies.
No pre-connection history
Hooki never syncs messages that existed before the number was connected. Only messages that transit after activation are processed — everything else stays on the client's phone.
Automatic deletion from Hooki's servers
Messages are automatically deleted from Hooki's servers after 90 days. The client's WhatsApp remains untouched — we only delete our copy.
Contacts: temporary memory only
The contact list of a connected number is never permanently stored. Only contacts who actually exchanged messages enter the database.
The system that never forgets. Zero data loss.
Persistent Message Queue
Webhook server offline? Messages enter a persistent queue and are automatically retried for 35 minutes with progressive wait times. No message is ever lost.
Webhook Integrity with HMAC
Every payload to your systems is digitally signed. Verify the authenticity of every request with your secret key — no replay attacks possible.
No Burst, Ever
Even with multiple systems sending simultaneously on the same number, limits are never exceeded. Automatic protection against WhatsApp blocks on high-volume integrations.
const sig = req.headers['x-hooki-signature'];
if (verifyHmac(payload, secret, sig)) {
processMessage(payload);
}
"Security built into every data packet."
2FA
Two-factor authentication for every account.
Every user type — admin, agency, end client — can enable two-factor authentication. Keys are encrypted on servers. A traceable log records every access.
- Compatible with Google Authenticator, Authy, 1Password and other standard apps
- Keys encrypted with AES-256 (banking standard)
- Audit log of every authentication event
- Recovery codes for emergency access
GDPR Compliance.
We operate in full compliance with GDPR. We never sell data to third parties, we collect only the minimum necessary. Public DPA available to sign, transparent subprocessors list.