Security Notes
Product Security Position
WHOT uses moderated encrypted chat. It must not be marketed or documented as end-to-end encrypted because authorized staff can review retained content under controlled workflows.
Protected Assets
- Credentials and JWTs
- Invite tokens
- Message encryption keys
- Retained moderation archives
- Audit logs
Threats and Controls
| Threat | Control |
|---|---|
| Invite guessing or replay | High-entropy tokens, single-use redemption, expiry |
| Username confusion | Case-sensitive uniqueness and explicit user IDs |
| Unauthorized moderation | Role checks, reason capture, audit trails |
| Message disclosure | Envelope encryption, redacted logs, retention limits |
| WebSocket hijacking | JWT validation, origin checks, reconnect tokens, rate limiting |
Retention and Privacy
| Data type | Default |
|---|---|
| Participant-facing messages | Removed after both participants read them |
| Retained archive copies | 30 days |
| Legal hold | Explicit override with audit trail |
| Auth and security logs | 90 days |
Security Handover Notes
- Keep privileged access explicit and auditable.
- Keep production secrets out of source control and development fallbacks disabled in production.
- Preserve the wording distinction between encrypted chat and end-to-end encryption in product, policy, and App Store materials.