Security at VaultChat

VaultChat implements the Signal Protocol, the same end-to-end encryption standard trusted by Signal and WhatsApp.

• X3DH (Extended Triple Diffie-Hellman): Establishes a shared secret between two parties on first contact, even when one party is offline.
• Double Ratchet Algorithm: Generates a new encryption key for every single message, providing forward secrecy and post-compromise security.
• AES-256-GCM: Authenticated symmetric encryption for message payloads.
• Curve25519: Elliptic-curve key agreement for fast, modern key exchange.

VaultChat is built so we cannot read your messages — even if compelled to. Encryption and decryption happen entirely on your device, and your private keys never leave it.

• Private keys are generated and stored on your device only.
• Messages are encrypted before they ever touch our servers.
• We see ciphertext — never plaintext, never your keys.
• Backups are encrypted with your personal PIN before upload.

We use a small, audited set of providers — each scoped to the minimum role needed to deliver the service.

• Supabase: Secure, managed backend for account metadata and encrypted message routing. Protected by row-level security policies and isolated per user.
• Twilio: Encrypted signaling for SMS verification and secure download links. Twilio never has access to your message content or keys.
• Apple & Google Push Services: Used solely to wake your device. Notification payloads never include message content.

We collect the minimum data needed to operate — and we keep it for the shortest time possible.

• Message content: Stored only on your device. Deleted from our relay servers the moment it is delivered.
• Undelivered messages: Held encrypted on relay servers for up to 30 days, then permanently purged.
• Server logs: Retained for 30 days for security and abuse prevention, then deleted.
• Account metadata: Retained only while your account is active. Deleting your account purges all associated data within 30 days.
• Phone number: Stored hashed where possible; used only for verification and account recovery.

VaultChat undergoes independent security review and adheres to SOC 2 Type II controls. Found a vulnerability? Email security@vaultchat.co. Responsible disclosures are acknowledged within 48 hours.