Security

How Docuity Chat protects messages.

Plain language about how we protect messages, including the limits. We would rather under-claim than over-promise.

Last updated: 17 July 2026

Two ways to encrypt a workspace

Encryption is chosen per workspace when you create it. There are two modes, and the difference is who can read your messages.

Server-encrypted (the default)

  • Message bodies and files are encrypted at rest with AES-256-GCM under rotatable keys the server holds.
  • Because the server holds the key, it can power full-text search and recover a workspace.
  • Honest limit: the server can decrypt these messages, so this is not end-to-end encryption, and we do not describe it as such.

End-to-end encrypted (per workspace)

  • The workspace key is generated in your browser at creation and is never sent to the server.
  • It reaches teammates only through the invite link, in the fragment after the # that browsers do not transmit. The server stores ciphertext plus a short fingerprint to confirm the key, never the key itself.
  • No server-side search: search runs in your browser over the messages it has decrypted.
  • The invite link carries the key, so treat the full link like a password.
  • If every member loses the key, the history is unrecoverable. There is no server copy.

Transport and sessions

  • All traffic is served over TLS with HSTS; plain HTTP is not offered.
  • Every state-changing request is checked against this app's exact origin (CSRF protection), and the app is not embeddable.
  • Sign-in happens only in Docuity ID. Apps never see your password. Sessions are Ed25519-signed with a server-side revocation check, so log-out-everywhere is immediate.

Audit trails

  • Membership and admin changes are written to an append-only, hash-chained audit log whose database permissions do not allow updates or deletes.
  • Honest limit: hash-chaining makes tampering detectable by verification, not impossible. We say “externally verifiable”, never “tamper-proof”.

Attachments and retention

  • Attachments are encrypted with the same key as the workspace, whether server-held or end-to-end.
  • Retention is set per workspace, 365 days by default, and admins can change it. A nightly job purges expired messages.

Self-hosting

Docuity Chat ships as a container image and runs against one PostgreSQL and one Redis instance. If you self-host, all of the above applies to your deployment and no data flows to us.

What we do NOT claim

  • Docuity Chat is a staff coordination tool, not a medical record.
  • No certifications: Docuity is not “HIPAA certified” (no such certification exists), and we hold no SOC 2 or ISO 27001 attestation today.
  • We do not currently sign Business Associate Agreements (BAAs).
  • No end-to-end encryption claims for server-encrypted workspaces.

Honest by default

Choose the encryption your team needs.

Server-encrypted for search and recovery, or end-to-end when the server should not be able to read a word. You decide, per workspace.