Plexichat is built for teams that need ownership of data, infrastructure, and access policies. This page shows how a self-hosted stack changes control boundaries compared to vendor-hosted SaaS.
| Capability | Plexichat | Rocket.Chat | Mattermost |
|---|---|---|---|
| Encryption Root | ✓ Hardware (TPM 2.0) | ✗ Software-Only | ✗ Software-Only |
| Data Custody | ✓ True Ownership | Limited (Cloud Focus) | Complex (Enterprise) |
| Architecture | ✓ Fully Decoupled | Monolithic Core | Service-Heavy |
| Real-time Stack | ✓ FastAPI / SFU | Meteor / Legacy JS | Go / Manual Sync |
| Bootstrap | ✓ Production-ready defaults | Setup Wizard Req. | DB Migrations First |
Rocket.Chat and Mattermost use software-managed keys stored on the filesystem or in database variables. If the server is compromised, those keys are vulnerable.
Plexichat changes the model: Master keys are derived from physical hardware (TPM 2.0). Even with root access to the OS, the encryption root cannot be exported, ensuring your organization's data remains unreadable if the server environment is breached.
Plexichat is engineered as three distinct, independently deployable layers: a high-performance FastAPI REST engine, a real-time WebSocket Gateway, and a stateless client.
This architecture allows security teams to place fine-grained firewall rules between components and scale the real-time gateway independently of the API logic. Production-ready defaults mean only security tokens and database credentials need configuration.
Plexichat adds production-grade capabilities that organizations need: server-side client cache management (so a hard delete is final even on a device that previously pulled the key), federated instance-to-instance messaging through PlexiJoin, SSO / SAML, and audit-log export.
These capabilities are licence-gated on a per-feature basis. The free tier remains fully functional, falling back to the v2 envelope path, returning a no-op for federation endpoints, and keeping the audit log in-database with admin-UI access only. Commercial deployments unlock the full feature matrix.
For federation, SSO, audit export, or server-side client cache management, contact [email protected].