Transport encryption

Desktop and mobile clients create an encrypted realtime session before messages, presence, calls, or screen sharing traffic is exchanged. These session keys protect live traffic and are separate from the keys used for stored workspace data.

Session keys are traffic keys, not permanent workspace storage keys. They can be rotated during a session and cleared from memory after replacement.

Realtime traffic includes freshness and replay protection so old packets cannot simply be resent and accepted as new activity. Media streams tolerate normal network reordering without accepting stale packets.

Server identity is trust-on-first-use. Clients store the server fingerprint and detect later changes that could indicate a replaced server identity or man-in-the-middle attempt.

File transfer, history sync, browser meetings, identity-provider provisioning, diagnostics, and account pages are served over HTTPS in production. Stored file bodies and message fields still use the separate at-rest protections described in Encryption and key protection.