Legal

Compliance Center

Ahmad AI — Enterprise Security & Platform Compliance

Last Updated: March 1, 2026

Ahmad AI is committed to maintaining the highest standards of platform compliance, data security, and regulatory adherence. This page provides a comprehensive overview of our compliance framework across all integrated platforms and security practices.

Meta Platform Compliance

Ahmad AI is a registered Meta Technology Provider that integrates with Meta's Graph API and Facebook Login. We adhere to all Meta Platform Terms and Developer Policies.

Facebook Login (OAuth 2.0)

  • Secure OAuth 2.0 authentication flow
  • Granular permission requests (only what is needed)
  • Tokens encrypted with AES-256-GCM at rest
  • Server-side only token handling

Data Access Controls

  • Access limited to authorized business assets only
  • No access to personal profiles or friends data
  • Immediate token revocation on disconnect
  • Regular permission audits and reviews

Platform Terms Adherence

  • Compliant with Meta Platform Terms of Service
  • Compliant with Meta Developer Policies
  • Data deletion callback endpoint implemented
  • Annual app review and verification

User Content Controls

  • No automated posting without user opt-in
  • Content review workflows available
  • Users control all publishing permissions
  • Audit trail for all published content

Marketing API Compliance

Ahmad AI uses the Meta Marketing API to provide campaign management capabilities. Our usage strictly adheres to Marketing API terms and advertising policies.

Data Usage Restrictions

  • Campaign data used solely for authorized management
  • No resale or redistribution of Marketing API data
  • Audience data never shared with unauthorized parties
  • No data aggregation across multiple advertisers

Advertising Standards

  • Compliant with Meta Advertising Standards
  • AI-generated ad content reviewed for policy compliance
  • Transparent reporting on campaign performance
  • Rate-limiting and API usage monitoring

WhatsApp Business API Compliance

Our WhatsApp integration operates through the official WhatsApp Cloud API provided by Meta Platforms, Inc. We comply with all WhatsApp Business and Commerce policies.

Messaging Compliance

  • Opt-in required for all marketing messages
  • Clear opt-out mechanism (STOP/UNSUBSCRIBE)
  • 24-hour messaging window compliance
  • Template messages pre-approved by Meta

Data Handling

  • End-to-end encryption honored
  • Message data processed only for service delivery
  • User phone numbers protected and never shared
  • Conversation data retention policies enforced

Security Architecture Overview

Ahmad AI employs a multi-layered security architecture designed to protect user data, platform credentials, and business assets at every level.

Encryption at Rest

  • AES-256-GCM for all sensitive data
  • Encrypted OAuth token storage
  • Database-level encryption
  • Encrypted backups

Encryption in Transit

  • TLS 1.3 for all connections
  • HTTPS enforced across all endpoints
  • Certificate pinning for critical APIs
  • HSTS headers enabled

Access Controls

  • Server-side only token access
  • Role-based access control (RBAC)
  • Principle of least privilege
  • Multi-factor authentication

Infrastructure Security

  • Cloud-hosted on enterprise-grade infrastructure
  • Regular security patches and updates
  • DDoS protection and rate limiting
  • Web Application Firewall (WAF)
  • Automated vulnerability scanning
  • Secure CI/CD pipeline

Incident Response Process

Ahmad AI maintains a structured incident response plan to address security events and data breaches promptly and transparently.

1

Detection & Identification

0 – 1 hour
  • Automated monitoring and alerting systems
  • Real-time log analysis and anomaly detection
  • Incident classification and severity assessment
2

Containment & Mitigation

1 – 4 hours
  • Immediate isolation of affected systems
  • Revocation of compromised credentials and tokens
  • Temporary service restrictions if necessary
3

Notification

Within 72 hours
  • Affected users notified via email and dashboard
  • Regulatory bodies notified as required by law
  • Meta/WhatsApp notified per platform requirements
4

Recovery & Post-Mortem

1 – 7 days
  • Full system restoration and verification
  • Root cause analysis and documentation
  • Implementation of preventive measures
  • Incident report published to affected parties

Data Protection Practices

Our data protection practices are designed to comply with applicable data protection regulations, including Malaysia's Personal Data Protection Act (PDPA) and GDPR principles.

Data Minimization

  • Collect only data necessary for service delivery
  • Regular audits to identify unnecessary data
  • Automatic purging of expired session data

User Rights

  • Right to access personal data
  • Right to correction and rectification
  • Right to deletion (in-app, callback, or email)
  • Right to data portability

Data Retention

  • Tokens deleted on platform disconnect
  • Business data removed on account deletion
  • Audit logs retained up to 24 months
  • Automated data lifecycle management

Third-Party Data Handling

  • No sale or resale of user data
  • Sub-processors vetted and under DPA
  • Strict confidentiality agreements
  • Regular vendor security assessments

Questions About Compliance?

If you have questions about our compliance practices or need to report a security concern, please contact us:

General Support

support@ahmad-ai.com

Privacy & Data Requests

privacy@ahmad-ai.com

Security Reports

security@ahmad-ai.com
Privacy Policy|Terms of Service