Backup and key protection

Server-side workspace encryption keys are protected with KMS-backed wrapping. Key material is not stored on the application disk in plaintext; decrypted keys are kept in memory only while the service needs them.

Administrators should protect the KMS configuration, server machine, administrator accounts, and backup recovery material. A restore requires both the encrypted data and the key access or recovery material needed for that deployment.

Backups are encrypted before they are stored. In cloud-hosted deployments, TheChatApp manages infrastructure backups. In self-hosted deployments, administrators should keep backup files, KMS access, and recovery passwords protected and test restore procedures before relying on them.

Backups are designed to protect against lost or damaged servers, accidental deletion, and copied backup archives.

• The encrypted backup archive.
• The KMS access, backup password, or recovery material required for the deployment.
• Access to the same cloud-hosted account or managed restore process for cloud-hosted deployments.
• A restored server or workspace should be verified before users resume normal work.