Security is built into how My PA works, not added as an afterthought. Here's a plain-language summary of how we protect your shop's data and your customers' information.
Encryption in transit and at rest
All data moving between your phone, our servers, and the messaging platforms is protected by TLS encryption — the same standard used by banks. Data stored on our servers — including messages, customer records, order history and uploaded documents — is encrypted at rest. Even if storage were ever accessed without authorisation, the data cannot be read.
Official messaging APIs only
My PA connects to WhatsApp through the official WhatsApp Business API and to Instagram and Messenger through the Meta Business API. We do not use unofficial methods or third-party channels. Your numbers and pages remain in your name, under official approval.
Secure cloud hosting
My PA is hosted on Amazon Web Services (AWS) and Google Cloud Platform (GCP) — two of the world's most trusted cloud providers with ISO 27001 certification and robust physical and network security. Your data is backed up regularly so it cannot be permanently lost due to hardware or software failure.
Tight access controls
- Only the authorised users on your account can access your business data from within the app.
- My PA staff access to production data is strictly limited — it is granted only when needed to resolve a support issue, is time-limited, and is fully logged.
- Sensitive actions (password changes, account deletion) require re-authentication.
- API keys and secrets are stored as environment variables, never hard-coded in source code.
Payment security via Paystack
Subscription payments and wallet transactions are processed by Paystack, a licensed Nigerian payment service provider regulated by the Central Bank of Nigeria. My PA never stores your card numbers or full bank credentials. Wallet payouts use Paystack's secure Transfer API over HTTPS with webhook signature verification (HMAC-SHA512).
Webhook and API authentication
All inbound webhooks (from WhatsApp, Meta and Paystack) are verified using cryptographic signature checks before any data is processed. Requests without a valid signature are rejected immediately.
Monitoring and incident response
Our infrastructure is monitored continuously for unusual activity, errors and availability issues. In the unlikely event of a security incident that could affect your data, we will:
- Contain and investigate the issue as quickly as possible.
- Notify affected account holders within 72 hours of becoming aware of a breach.
- Explain clearly what happened, what data was involved, and what steps we have taken.
Your responsibility
Our security measures work best when you take a few simple steps on your side:
- Use a strong, unique password for your My PA account and enable your phone's screen lock.
- Never share your login details, verification codes or account PIN with anyone — including people claiming to be My PA support.
- Keep your WhatsApp Business number linked to a SIM you control and monitor.
- Report anything suspicious — unusual messages, unexpected logins or unfamiliar transactions — to support@mypa.ng immediately.
Responsible disclosure
Found a security vulnerability? Please report it privately to support@mypa.ng with the subject "Security Disclosure". We take every report seriously, investigate promptly, and will keep you informed of progress. We ask that you do not publicly disclose a vulnerability before we have had a reasonable opportunity to address it.
Questions?
Want more detail for your own compliance or due-diligence records? Email support@mypa.ng and we'll be glad to help.