Back to home

Security

Last updated: February 2026

Early Phase Notice

HansaChat is following best practices in the security world. Please note that the application is currently still in the early phase and not all planned security measures are implemented.

Infrastructure & Hosting

Hetzner Cloud - Germany (EU)

HansaChat is running exclusively on Hetzner cloud servers. It runs on several different zones (Falkenstein and Nuremberg) on a private Kubernetes cluster. All data physically remains in Germany.

Encryption in Transit

HTTPS & TLS Encryption

We use HTTPS and TLS. Your data is encrypted between your browser and our servers. Your provider or any other man-in-the-middle cannot see it.

Encryption at Rest

Your Data

All your data, such as user details or messages, will be stored in a self-hosted MySQL instance. It is located within the private Kubernetes network and password protected. It is not possible to access the database outside of the Kubernetes network. The database is located on an encrypted volume using Longhorn volume encryption .

All free and demo users have shared infrastructure. All paid workflows have their own database.

Your Files

As of February 2026, all files are stored on self-hosted MinIO, located on encrypted volumes as well.

This is expected to change and Hetzner Object Storage will be used at a later point. We plan to use SSE-C when uploading your files to Hetzner storage. See more details about SSE-C here .

End-to-End Encryption

Current Status & Future Plans

Due to the application nature, proper E2E encryption is not currently possible.

However, it is planned to add partial E2E support at a later point. It will work as follows: the workspace admin generates a token and must share the token with all users individually. The token will not be stored on the server and only be stored in the browser. This would disable all search capabilities. If the key is lost, there is no way to access the data.

Note: This feature is currently not implemented and subject to change.

User Authentication Policy

  • Passwords are securely hashed using bcrypt with automatic salts. Even if the database is stolen, passwords cannot be directly recovered.
  • 2FA is available and highly recommended to enable.
  • User sessions are protected with encrypted cookies and expire after inactivity.
  • Session IDs are regenerated on login to prevent hijacking.

Access Control & Roles

  • Every workspace member may join any public channel and read its content.
  • Any member of a private channel may invite any user. Users cannot join private channels on their own (except during creation).
  • Workspace admins or owners cannot see the content of private channels unless they are members of it.
  • Workspace admins and owners cannot see direct messages.

Platform Level Access

HansaChat, as the platform operator, has the technical capability to access workspace data, including emails, messages, and channel memberships, strictly for maintenance, troubleshooting, or legal compliance. We respect your privacy and do not access your data without consent or necessity.

Data Retention & Deletion

  • Demo workspaces: Deleted after 24 hours.
  • Free workspaces: Deleted after 60 days of inactivity. All users that have no other workspaces will be deleted.
  • Paid workspaces: Never deleted while their subscription is active. In case of subscription cancellation, your plan will be switched to "inactive" plan with read-only access for data export.

After subscription cancellation:

  • • Your data will be deleted in 30 days (including database and all uploaded files)
  • • Backups will be deleted 30 days after the last backup

You may request deletion of your data under the GDPR law.

Backups & Disaster Recovery

Not Production Ready

As of February 2026, there are no backups and disaster recovery. The app is not production ready and only available for testing.

Backups will be encrypted at rest, stored in multiple zones, and tested regularly once production-ready.

Logging & Monitoring

As of February 2026, HansaChat is using Sentry for error handling and monitoring. This is expected to change in favor of self-hosted options such as Loki/Grafana.

No PII data is being collected.

Tracking & Analytics

As of March 2026, HansaChat is NOT using any solution for website analytics.

GDPR Compliance

As we host our services in Germany and operate within the European Union, we are fully committed to GDPR compliance. This includes:

  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to data portability
  • Right to object to processing

Questions About Security?

We take security seriously and are happy to answer any questions you may have about our security practices, data handling, or compliance.

igor@hansa.chat

Responsible Disclosure

If you discover a security vulnerability, please report it to us responsibly by emailing igor@hansa.chat. We will investigate all reports and work to address any issues promptly.