⚠️ Critical Security Information
OEH Chat does NOT use end-to-end encryption (E2EE).
This means:
- We CAN access your message content
- Your messages are NOT private from OEH Chat
- We can read messages for moderation and legal compliance
- Government agencies can request access to your data
If you require end-to-end encryption, please use apps like Signal, WhatsApp, or Telegram Secret Chats.
Introduction
At OEH Chat, we believe in transparency about our security practices. This document explains exactly how we protect your data, what we can access, and why we've chosen our current security model.
Unlike some messaging apps that use end-to-end encryption (E2EE), OEH Chat uses a server-side encryption model. This is a deliberate choice that allows us to provide certain features and comply with legal requirements, but it also means we have access to your message content.
Our Encryption Model
1. Data in Transit (TLS/HTTPS)
✓ What We Use
- TLS 1.2 and 1.3: Industry-standard transport layer security
- HTTPS: All API communications encrypted
- Certificate Pinning: Prevents man-in-the-middle attacks
- Perfect Forward Secrecy: Session keys expire after use
Protection: Data is encrypted while traveling between your device and our servers. Hackers cannot intercept readable messages during transmission.
2. Data at Rest (Server-Side Encryption)
✓ What We Use
- AES-256 Encryption: Military-grade encryption for stored data
- Encrypted Database: SQL Server Transparent Data Encryption (TDE)
- Encrypted Backups: All backups are encrypted
- Secure Key Management: Encryption keys stored separately from data
Protection: Data is encrypted on our servers. If someone steals a hard drive, they cannot read the data without our encryption keys.
3. What We DON'T Use (End-to-End Encryption)
✗ NOT Implemented
- End-to-End Encryption (E2EE): We do not encrypt messages in a way that only sender and recipient can decrypt
- Zero-Knowledge Architecture: We are not "zero-knowledge" - we can access your data
- Client-Side Encryption Keys: Encryption keys are managed by our servers, not your device
Impact: OEH Chat employees, administrators, and systems can technically access your message content. We can also provide this data to law enforcement when legally required.
Encryption Comparison
Here's how OEH Chat compares to other messaging apps:
| Feature | OEH Chat | Signal/WhatsApp | Telegram (Regular) |
|---|---|---|---|
| TLS Encryption (in transit) | ✓ YES | ✓ YES | ✓ YES |
| Server-Side Encryption (at rest) | ✓ YES | ✓ YES | ✓ YES |
| End-to-End Encryption (E2EE) | ✗ NO | ✓ YES | ✗ NO (Secret Chats only) |
| Company Can Read Messages | ✓ YES | ✗ NO | ✓ YES |
| Content Moderation Possible | ✓ YES | ✗ NO | ✓ YES |
| Cloud Sync Across Devices | ✓ YES | Limited | ✓ YES |
| Message History on New Devices | ✓ YES | ✗ NO | ✓ YES |
Why We Don't Use E2EE
We've chosen server-side encryption instead of end-to-end encryption for several important reasons:
1. Content Moderation and Safety
E2EE makes it impossible to detect and remove harmful content. By using server-side encryption, we can:
- Detect and remove CSAM: Child sexual abuse material is illegal and must be removed
- Fight terrorism: Prevent terrorist recruitment and planning
- Stop harassment: Remove bullying, threats, and hate speech
- Block spam and scams: Protect users from phishing and fraud
- Enforce Terms of Service: Ensure users follow our rules
2. Legal Compliance
- Law Enforcement Requests: We can comply with valid court orders and subpoenas
- Regulatory Requirements: Some jurisdictions require content moderation capabilities
- CSAM Reporting: We are legally required to report child exploitation
- Anti-Terrorism Laws: Must prevent use of platform for terrorism
3. User Experience Features
- Cloud Sync: Access full message history on any device instantly
- Multi-Device Support: Use multiple devices without manual sync
- Message Search: Search through all your messages on the server
- Lost Device Recovery: Don't lose messages if device is lost or broken
- Backup and Restore: Automatic cloud backups
4. Technical Limitations
- Group Chats: E2EE is complex for large groups with changing members
- Communities: E2EE doesn't work well for discoverable public communities
- Channels: One-to-many broadcasting requires server-side processing
- Cross-Platform: E2EE adds significant complexity across platforms
What OEH Chat Can Access
⚠️ Complete Access List
OEH Chat employees, administrators, and automated systems can potentially access:
Messages and Content
- All text messages
- Photos and videos
- Voice messages
- Documents and files
- GIFs and stickers
- Shared locations
- Poll questions and votes
- Message reactions
Account Information
- Phone number
- Profile name and photo
- Status message and bio
- Email address (if provided)
- Contact list
- Linked devices
- Login history
Communication Metadata
- Who you message
- When you message
- Message delivery status
- Read receipts
- Typing indicators
- Online/offline status
- Call duration and participants
Groups and Communities
- Group memberships
- Group messages
- Admin actions
- Community participation
- Channel subscriptions
- Broadcast list membership
What OEH Chat CANNOT Access
✓ Protected Data (Stored Locally Only)
- Biometric Data: Fingerprints and face recognition stay on your device only
- Local App Lock PIN: Never sent to our servers
- Device Passwords: Your device unlock codes
- Payment Information: Processed by Google Play, not us
- Call Content: Voice/video calls via Jitsi Meet (peer-to-peer when possible)
Who Has Access to Your Data
1. OEH Chat Employees
- Access Level: Strictly limited on need-to-know basis
- Who Can Access:
- Trust & Safety team (for content moderation)
- Customer support (with your explicit permission only)
- Engineering team (for debugging, with strict oversight)
- Legal team (for law enforcement requests)
- Safeguards:
- All access is logged and audited
- Employees sign confidentiality agreements
- Unauthorized access results in termination
- Regular security training
2. Automated Systems
- Content Moderation AI: Scans for illegal content (CSAM, terrorism)
- Spam Filters: Detect and block spam and scams
- Malware Scanners: Check files for viruses
- Analytics Systems: Aggregate usage data (not individual messages)
3. Law Enforcement
- We may provide data in response to valid legal requests
- Requires court order, subpoena, or search warrant
- We notify users when legally permitted
- We publish transparency reports (when volume permits)
4. Third-Party Services
- Firebase: Device tokens, analytics (no message content)
- Jitsi Meet: Call metadata during active calls only
- CheckMobi: Phone numbers for verification only
- Google Play: Payment transactions
Other Security Measures
Infrastructure Security
- Secure data centers with 24/7 monitoring
- Firewall protection
- Intrusion detection systems
- Regular security audits
- DDoS protection
Application Security
- Regular security updates
- Penetration testing
- Code review processes
- Vulnerability scanning
- Bug bounty program (planned)
Authentication Security
- Phone number verification
- Session management
- Device authorization
- Suspicious login detection
- Optional biometric app lock
Operational Security
- Employee background checks
- Access control and monitoring
- Incident response plan
- Regular backups
- Disaster recovery procedures
Your Security Best Practices
How to Stay Safe on OEH Chat
- Enable App Lock: Use biometric or PIN lock in Settings
- Monitor Linked Devices: Regularly check and remove unknown devices
- Don't Share Sensitive Info: Assume messages can be accessed by OEH Chat
- Use Secure Device: Keep your phone updated and protected
- Verify Contacts: Be sure you're talking to the right person
- Report Abuse: Report suspicious accounts and content
- Review Privacy Settings: Control who can see your profile and status
- Use Strong Passwords: Protect linked devices with strong credentials
Data Breach Response
In the event of a security breach:
- We will notify affected users within 72 hours
- Notification will include what data was compromised
- We will provide guidance on protective measures
- We will notify relevant authorities as required by law
- We will conduct a thorough investigation
- We will implement measures to prevent future breaches
Future Security Enhancements
We are continuously working to improve security. Potential future enhancements include:
- Optional E2EE: End-to-end encryption for one-on-one chats (opt-in)
- Two-Factor Authentication: Additional login verification
- Self-Destructing Messages: Auto-delete messages after a set time
- Verified Accounts: Blue checkmarks for authentic accounts
- Enhanced Privacy Mode: Additional privacy controls
- Security Key Support: Hardware security keys for login
Recommendations for Sensitive Communications
⚠️ Important Advice
If you need end-to-end encryption for sensitive communications, we recommend using apps that provide E2EE:
- Signal: Fully end-to-end encrypted, open source
- WhatsApp: E2EE by default for all chats
- Telegram Secret Chats: Optional E2EE for one-on-one chats
- Wire: E2EE for personal and business use
Use Cases for E2EE Apps:
- Sensitive business communications
- Medical or health information
- Financial discussions
- Whistleblowing or journalism
- Political activism in oppressive regions
- Legal communications
Security Contact
Questions or concerns about our security practices?
Security Team
Email: support@oehchat.com
For urgent security issues: Use PGP encryption (key available on request)
Vulnerability Disclosure
Found a security vulnerability? Please report it responsibly.
Email: support@oehchat.com
We appreciate responsible disclosure and will acknowledge reports within 48 hours.
Our Commitment to Transparency
We believe users deserve to know exactly how their data is protected. This disclosure document is part of our commitment to transparency. We will:
- Keep this document updated with any security changes
- Notify users of material changes to our security practices
- Publish transparency reports when volume permits
- Be honest about our capabilities and limitations
- Never mislead users about our encryption model