Plexichat is built for on-prem and private-cloud deployments where key custody, data retention, and network boundaries are controlled by your organization.
Encryption at rest is rooted in your infrastructure. Use TPM 2.0 hardware when available, or configure PLEXICHAT_SYSTEM_KEY for containerized deployments that require software-backed keys.
Every configured key encryption key is validated before the server accepts traffic. Insecure keys are rejected with a clear, actionable error message rather than failing silently later.
On licensed installs, the server owns the per-channel key cache. Clients receive RATCHET_UPDATE broadcasts over the gateway and never sit on a long-lived key they can use after a deletion. On free tier the messaging service falls back to the v1/v2 keyring envelope and the client manages its own cache.
Threat model addressed: A stolen phone that pulled the active ratchet key while authenticated. A former employee who exported ciphertext out of band. An admin who copies channel content during a session and tries to decrypt it after deletion.
Commercial licence required. Contact [email protected] for deployment pricing.
When a keyring is loaded with a dedicated KEK (e.g. PLEXICHAT_MEDIA_KEY) and decryption fails, the server falls back to PLEXICHAT_SYSTEM_KEY and re-encrypts on the next write. This makes it safe to roll forward a new KEK without a manual data migration window.
Plexichat uses strong password hashing, multi-factor authentication, and tokenized sessions for secure access control.
Traffic protection is enforced per route, per user, and per IP with configurable burst windows.
External URLs are validated through a media proxy to reduce SSRF risk from avatars, embeds, and remote assets.
The first-class DSAR / Harvester module packages every artefact associated with a user into a single export bundle. Account holders can self-serve the same bundle from the client's Data Export settings screen.
Licensed installs can stream the admin audit log to external SIEM-friendly sinks and produce signed export bundles for incident response. Free-tier installs retain the audit log in-database with admin UI access only.
Commercial licence required. Contact [email protected] for deployment pricing.