Security &
Compliance
Security isn't a feature we add—it's foundational to everything we build. Here's how we protect your data.
Security Principles
End-to-End Encryption
All data is encrypted in transit (TLS 1.3) and at rest (AES-256). For messaging, we use the Signal Protocol—the same encryption trusted by journalists and activists worldwide.
Zero-Knowledge Architecture
We can't read your data even if we wanted to. Encryption keys are derived from your credentials and never leave your device. We only store encrypted blobs.
Hardware Security
Support for FIDO2/WebAuthn hardware keys. Sensitive cryptographic operations use secure enclaves where available. API keys are hashed, never stored in plaintext.
Infrastructure Security
Hosted on SOC 2 compliant infrastructure. Network isolation, DDoS protection, and continuous monitoring. Regular penetration testing by third parties.
Encryption Specifications
| Layer | Algorithm | Key Size |
|---|---|---|
| Transport Layer | TLS 1.3 | 256-bit |
| Data at Rest | AES-256-GCM | 256-bit |
| Message Encryption (Chai.im) | Signal Protocol (X3DH + Double Ratchet) | Curve25519 |
| Key Derivation | HKDF-SHA256 | 256-bit |
| Password Hashing | Argon2id | Memory: 64MB, Iterations: 3 |
| Digital Signatures | Ed25519 | 256-bit |
Compliance
HIPAA Compliance
Chai.im is designed for HIPAA compliance. We offer Business Associate Agreements (BAA) for healthcare organizations, encrypted audit logging, and configurable retention policies.
- End-to-end encryption for PHI
- Access controls and audit logging
- BAA available for enterprise customers
- Configurable data retention
GDPR Compliance
We respect data subject rights and provide tools for data portability and deletion.
- Data minimization by design
- Right to access and export data
- Right to deletion
- EU data residency options
SOC 2 Type II
We're currently undergoing SOC 2 Type II certification. Expected completion: Q2 2026.
- Security controls in place
- Audit in progress
Security Practices
Development
- Code review required for all changes
- Automated security scanning (SAST/DAST)
- Dependency vulnerability monitoring
- Signed commits and verified builds
Operations
- 24/7 infrastructure monitoring
- Automated incident response
- Regular backup testing
- Disaster recovery procedures
Testing
- Annual third-party penetration testing
- Continuous vulnerability scanning
- Bug bounty program (coming soon)
- Red team exercises
Access Control
- Principle of least privilege
- Multi-factor authentication required
- Regular access reviews
- Just-in-time access for production
Vulnerability Disclosure
Report a Vulnerability
We take security seriously and appreciate responsible disclosure. If you discover a security vulnerability, please report it to us.
What to include:
- • Description of the vulnerability
- • Steps to reproduce
- • Affected product(s) and version(s)
- • Potential impact
- • Any proof-of-concept code
Questions About Security?
Our security team is happy to answer questions and provide additional documentation for enterprise customers.
Contact Security Team