Security Statement

Our Security Posture

GoUltra is built on enterprise-grade infrastructure with security-by-design principles. We process the personal data and conversations of clinics, law firms, and service businesses, and we treat that responsibility seriously. This page summarizes the technical and organizational measures we have in place.

Infrastructure

• Edge compute: our application runs on Cloudflare Workers, distributed across 300+ data centers globally, with automatic failover and DDoS protection.
• Database: data is stored in Cloudflare D1 (SQLite-based, edge-replicated) with point-in-time recovery and automatic backup.
• WhatsApp messaging: GoUltra is built on Meta's official WhatsApp Cloud API.
• Payment processing: Payment details are processed by Stripe. GoUltra does not store full card numbers or CVV codes.

Encryption

• In transit: all communication uses TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced. Internal service-to-service communication is also encrypted.
• At rest: our database storage is encrypted at the underlying disk level by our infrastructure provider.
• Transit security: WhatsApp platform security applies to WhatsApp messages. GoUltra also uses TLS in transit, access controls, and secure infrastructure practices.
• Secrets management: API keys, webhook signatures, and OAuth tokens are stored in encrypted environment variables and rotated regularly.

Access Control

• Account roles: GoUltra currently supports Admin and Agent roles. Agents have conversation-only access, while administrative tools remain with the owner or admin.
• Multi-factor authentication (MFA): available for all administrator accounts; required for our internal staff.
• Operation logs: sensitive operations (user creation, permission changes, data exports, billing changes) are logged with actor, timestamp, and source IP.
• Internal access: GoUltra staff access to customer data is restricted to the minimum necessary, requires explicit business justification, and is logged.

Application Security

• Input validation and output encoding to prevent injection attacks (SQL, XSS, CSRF).
• Rate limiting on authentication endpoints and API surfaces.
• Webhook signature verification for incoming messages from Meta.
• Content Security Policy (CSP) headers and other security HTTP headers on all responses.
• Regular dependency updates and vulnerability scanning.

Data Retention

Personal data is retained only for as long as necessary to provide the service or as required by law. Specific retention periods:

• Active account data: for the duration of your subscription.
• Conversation history: per your configuration (default 12 months, customizable).
• Billing records: 7 years (US tax law requirement).
• Operation logs: 12 months.
• Deleted account data: 30-day grace period (recoverable on request), then permanent deletion.

Subprocessors

Current list of subprocessors that may process customer personal data:

• Meta Platforms, Inc. (USA / global) - WhatsApp Cloud API messaging.
• Cloudflare, Inc. (USA / global) - compute, storage, CDN, DNS.
• Stripe, Inc. (USA) - payment processing.
• Google LLC (USA) - Google Calendar API integration (optional).
• OpenAI, LLC or equivalent AI provider (USA) - AI agent inference (optional).

Changes to this list are announced at least 30 days in advance via in-app notification and email to account administrators.

Incident Response

We maintain a documented incident response plan covering detection, containment, eradication, recovery, and notification. In the event of a security incident affecting your data:

• We will notify you without undue delay, and in any case within 72 hours of awareness.
• Notification will include: nature of the incident, categories and approximate number of records affected, likely consequences, and remediation steps taken or proposed.
• We will support you in any onward notification you must make to data subjects or regulators.

Reporting Vulnerabilities

We welcome reports from security researchers. If you believe you have found a vulnerability in GoUltra, please email security@goultra.ai with details. We commit to acknowledging receipt within 48 hours and providing a status update within 7 days.

Compliance Resources

GoUltra publishes the following resources to help customers understand how the platform handles data and how to use it within their own legal obligations:

• Privacy Policy — how GoUltra handles user data.
• GDPR Resource — information for customers operating in or processing data of EU/UK residents.
• Data Processing Addendum — for customers who require a written DPA.
• Data Deletion — how to request deletion of your data.
• Anti-Spam Policy and Opt-In Policy — required behavior when sending WhatsApp messages.

Customers remain responsible for their own legal compliance under the laws that apply to their business. Specific certification or compliance claims are added to this page only after they have been verified.

Contact

Security questions: security@goultra.ai. Compliance and DPA: dpo@goultra.ai. General support: support@goultra.ai.

Last updated: April 26, 2026.