Compliance & Data Retention

Privacy-First Architecture

Dualhook's core design principle is that message content is never proxied or stored. All message webhooks are routed directly from Meta to your server via Webhook Override. Dualhook stores only operational metadata: webhook delivery status, template information, health check results, and connection configuration.

Configurable Data Retention

Organization administrators can configure data retention periods for webhook logs and health checks. The available retention windows are 7 days, 30 days, or 90 days. When the retention period expires, records are automatically purged. This allows your organization to balance operational visibility with data minimization requirements.

CSV Export

Webhook delivery logs can be exported as CSV files for audit trails and incident review. Exports include event type, timestamp, delivery status, and associated identifiers. These exports support compliance workflows that require documented evidence of webhook processing.

Organization-Scoped Access Controls

All data in Dualhook is scoped to the organization level. Members of one organization cannot access connections, logs, or settings belonging to another. Role-based access within each organization ensures that only authorized team members can modify connection settings or compliance configuration.

What Dualhook Stores

• Connection configuration (WABA ID, phone number ID, webhook URL)
• Access tokens (for Meta API calls on your behalf)
• Webhook event metadata (event type, delivery status, timestamps)
• Template metadata (name, status, category, components)
• Health check snapshots (quality rating, can-send status)

Message content, conversation data, and end-user personal information are never stored by Dualhook.