Self-hosted vs SaaS
Capability Plexichat Rocket.Chat Mattermost
Encryption Root Hardware (TPM 2.0) Software-Only Software-Only
Data Custody True Ownership Limited (Cloud Focus) Complex (Enterprise)
Architecture Fully Decoupled Monolithic Core Service-Heavy
Real-time Stack FastAPI / SFU Meteor / Legacy JS Go / Manual Sync
Bootstrap Production-ready defaults Setup Wizard Req. DB Migrations First
Hardware-Rooted Trust

Beyond Software Encryption

Rocket.Chat and Mattermost use software-managed keys stored on the filesystem or in database variables. If the server is compromised, those keys are vulnerable.

Plexichat changes the model: Master keys are derived from physical hardware (TPM 2.0). Even with root access to the OS, the encryption root cannot be exported, ensuring your organization's data remains unreadable if the server environment is breached.

Modern, Decoupled Architecture

Plexichat is engineered as three distinct, independently deployable layers: a high-performance FastAPI REST engine, a real-time WebSocket Gateway, and a stateless client.

This architecture allows security teams to place fine-grained firewall rules between components and scale the real-time gateway independently of the API logic. Production-ready defaults mean only security tokens and database credentials need configuration.

Commercial Federation & Identity

Plexichat adds production-grade capabilities that organizations need: server-side client cache management (so a hard delete is final even on a device that previously pulled the key), federated instance-to-instance messaging through PlexiJoin, SSO / SAML, and audit-log export.

These capabilities are licence-gated on a per-feature basis. The free tier remains fully functional, falling back to the v2 envelope path, returning a no-op for federation endpoints, and keeping the audit log in-database with admin-UI access only. Commercial deployments unlock the full feature matrix.

For federation, SSO, audit export, or server-side client cache management, contact [email protected].