Security

How NoChat protects your communications

Security First

NoChat is built from the ground up with security as a core principle, not an afterthought. Our zero-knowledge architecture ensures that your private communications remain private, even from us.

End-to-End Encryption

All messages and calls on NoChat are protected with end-to-end encryption (E2EE). This means:

  • Messages are encrypted on your device before being sent
  • Only you and your intended recipients can decrypt and read messages
  • NoChat servers only see encrypted data that looks like random noise
  • Even if our servers were compromised, attackers could not read your messages

Cryptographic Standards

We use industry-standard cryptographic algorithms:

Message Encryption

  • AES-256-GCM for symmetric encryption
  • P-256 ECDH for key exchange
  • Hybrid X25519 + ML-KEM-1024 (Kyber) post-quantum key exchange (PQXDH) for direct messages
  • HKDF-SHA256 for key derivation

Identity & Signatures

  • ML-DSA-65 (FIPS 204) post-quantum identity & prekey signatures
  • P-256 ECDSA for digital signatures (classical / legacy)

Video & Audio Calls

  • WebRTC with DTLS-SRTP encryption
  • Peer-to-peer connections when possible

Zero-Knowledge Architecture

NoChat operates on a zero-knowledge principle. This means we have designed our systems so that we cannot access your private data even if we wanted to:

  • Private keys never leave your device - encryption and decryption happen locally
  • No backdoors - there is no master key or special access
  • Subpoena-resistant - even with a court order, we cannot provide message content because we do not have access to it
  • Minimal metadata - we collect only what is necessary to deliver messages

Infrastructure Security

Our servers are protected with multiple layers of security:

  • All network traffic is encrypted with TLS 1.3
  • Built on open, standardized cryptography and available for independent review (no formal third-party audit completed yet)
  • Encrypted database storage
  • Strict access controls and monitoring
  • Automatic security updates

Auditable & Standards-Based

NoChat is built on open, standardized cryptography — not proprietary black boxes — so our security claims can be verified against public specifications:

  • Open standards: P-256 ECDH, AES-256-GCM, HKDF-SHA256, and ML-KEM / ML-DSA — no homegrown crypto
  • Security researchers can review our cryptographic design and primitives
  • A documented crypto inventory describes every primitive and where it runs
  • Transparency builds trust

Transparency & Accountability

We believe in radical transparency about how we operate. Here you can find verifiable proof that NoChat has not been compromised, along with regular reports on how we handle data requests.

Warrant Canary

Cryptographically signed proof we have not received secret government orders.

Transparency Reports

Quarterly reports on data requests, legal compliance, and security incidents.

Report a Vulnerability

We take security seriously and appreciate responsible disclosure. If you discover a security vulnerability, please report it to us:

security@nochat.io

We commit to acknowledging reports within 48 hours and providing regular updates on our progress toward a fix.

Security Best Practices

While NoChat protects your communications, you can further enhance your security:

  • Keep your app and device software up to date
  • Use a strong, unique password if you create an account
  • Verify contact identities through a separate channel when possible
  • Be cautious of links and files from unknown sources
  • Use device-level security features like screen lock and biometrics