Security
How Docuity Chat protects messages.
Plain language about how we protect messages, including the limits. We would rather under-claim than over-promise.
Last updated: 17 July 2026
Two ways to encrypt a workspace
Encryption is chosen per workspace when you create it. There are two modes, and the difference is who can read your messages.
Server-encrypted (the default)
- Message bodies and files are encrypted at rest with AES-256-GCM under rotatable keys the server holds.
- Because the server holds the key, it can power full-text search and recover a workspace.
- Honest limit: the server can decrypt these messages, so this is not end-to-end encryption, and we do not describe it as such.
End-to-end encrypted (per workspace)
- The workspace key is generated in your browser at creation and is never sent to the server.
- It reaches teammates only through the invite link, in the fragment after the
#that browsers do not transmit. The server stores ciphertext plus a short fingerprint to confirm the key, never the key itself. - No server-side search: search runs in your browser over the messages it has decrypted.
- The invite link carries the key, so treat the full link like a password.
- If every member loses the key, the history is unrecoverable. There is no server copy.
Transport and sessions
- All traffic is served over TLS with HSTS; plain HTTP is not offered.
- Every state-changing request is checked against this app's exact origin (CSRF protection), and the app is not embeddable.
- Sign-in happens only in Docuity ID. Apps never see your password. Sessions are Ed25519-signed with a server-side revocation check, so log-out-everywhere is immediate.
Audit trails
- Membership and admin changes are written to an append-only, hash-chained audit log whose database permissions do not allow updates or deletes.
- Honest limit: hash-chaining makes tampering detectable by verification, not impossible. We say “externally verifiable”, never “tamper-proof”.
Attachments and retention
- Attachments are encrypted with the same key as the workspace, whether server-held or end-to-end.
- Retention is set per workspace, 365 days by default, and admins can change it. A nightly job purges expired messages.
Self-hosting
Docuity Chat ships as a container image and runs against one PostgreSQL and one Redis instance. If you self-host, all of the above applies to your deployment and no data flows to us.
What we do NOT claim
- Docuity Chat is a staff coordination tool, not a medical record.
- No certifications: Docuity is not “HIPAA certified” (no such certification exists), and we hold no SOC 2 or ISO 27001 attestation today.
- We do not currently sign Business Associate Agreements (BAAs).
- No end-to-end encryption claims for server-encrypted workspaces.
Honest by default
Choose the encryption your team needs.
Server-encrypted for search and recovery, or end-to-end when the server should not be able to read a word. You decide, per workspace.