Skip to content

Determine if GDPR requires encryption of messages in rest and in transit #11

New issue
New issue
Open
Feature
Open
Determine if GDPR requires encryption of messages in rest and in transit#11
Feature
Assignees
Rubinskiy
Labels
featureNew feature or requestresearchPreliminary research and testing
@Rubinskiy

Description

@Rubinskiy
Rubinskiy
opened on Jan 15, 2026

Implement encryption in transit (TLS) and at rest for our chat messages and user metadata.

Update:

GDPR does not explicitly require encryption at rest or in transit. But they are one of the primary ways to demonstrate compliance. In Article 32 it mentions "appropriate technical and organisational measures". Those measures should ensure:

  1. Confidentiality
  2. Integrity
  3. Availability
  4. Resilience of processing systems

Encryption in transit (TLS) is required in practice because it would be hard to say that we used "appropriate" measures.

Encryption at rest is not explicitly required, but often required depending on risk. There are a few types of encryption at rest:

  1. Disk/Infra encryption - Encrypted volumes or databases
  2. Application-level encryption - Messages encrypted before storing in DB (Latency cost)
  3. End-to-end (E2E) encryption - Maximum privacy, not required by GDPR, hard features

Metadata

Metadata

Assignees

Labels

featureNew feature or requestresearchPreliminary research and testing

Type

Feature

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions