Security Guide
Security overview
TheChatApp uses encrypted connections, authenticated identity, encrypted workspace storage, protected local secrets, file validation, audit logs, and deployment isolation across self-hosted and cloud-hosted environments.
Security model
Security is built around defense in depth: encrypted connections, authenticated users and devices, encrypted stored content, restricted key material, validated file handling, and audit records for administrative actions.
The main layers are application controls, transport encryption, storage protection, identity, and deployment operations. Each layer reduces a different class of risk, and each depends on administrators keeping backups, administrator accounts, and user devices protected.
Security controls
| Purpose | Protection |
|---|---|
| Transport encryption | Realtime traffic is encrypted after a signed session handshake. |
| Server identity | Clients remember the server identity and warn if it unexpectedly changes. |
| Stored data | Workspace data and file metadata are encrypted before they are written to storage. |
| Key protection | Cloud-hosted deployments use managed key services so key material is not stored on application disk. |
| Audit logs | Security and administrative actions are recorded in protected audit logs. |
Operational controls
- Progressive login lockout for brute-force resistance.
- Secure handling of identity-provider tokens and workspace sessions.
- File validation and access checks on upload/download paths.
- Encrypted data export and wipe paths gated by administrative authentication.
Deployment boundaries
Self-hosted administrators control the server machine, network access, backups, and administrator accounts. Cloud-hosted deployments add TheChatApp-managed hosting, TLS, key protection, and infrastructure backups.