End-to-end encryption
Every message and call is encrypted on your device before it leaves. Built on widely audited cryptographic foundations.
End-to-end encrypted messaging, calls and meetings, with the retention, legal-hold and discovery controls a regulated firm actually needs. Built for law firms, FCA-regulated advisers, accountants, healthcare clinics, defence suppliers, local-government contractors, registered charities and lettings agents — anyone where "good enough" isn't.
30-minute sandbox · no credit card · auto-deleted when you leave
End-to-end encryption isn't a feature here — it's the architecture. Your conversations are readable on your device and the recipient's. Not on ours, not in transit, not at rest.
Each device generates and holds its own keys. Nothing key-shaped lives on our servers.
If a key is ever compromised, past conversations stay protected. Sessions heal themselves.
There is no admin override, no support peek, no "we'll look into it for you".
Features
Every message and call is encrypted on your device before it leaves. Built on widely audited cryptographic foundations.
One-to-one and multi-party group calls with screen-sharing, background blur, picture-in-picture, pinned-speaker view, live network-quality indicators, hand-raise and emoji reactions. Native lock-screen ringing — calls feel like calls, not notifications.
Encrypted group threads with @mentions, replies, edits, reactions, forward-with-attribution, pinned messages, per-recipient delivered & read status, and disappearing-message timers. Every message stays end-to-end encrypted as members join and leave.
Use the same account on your phone, tablet, and laptop. Each device has its own keys, so adding or removing a device never compromises the rest.
Within-conversation search and global cross-thread search — but the index lives on your device, not on our servers. We can't read your search history because we don't have it.
Photos, voice notes, videos and files travel under the same end-to-end protection as your messages. Record meetings with two-side consent banners; share recordings via password-protected links that expire.
Face ID, Touch ID, or fingerprint required to open the app — separate from your device unlock. So if a colleague borrows your unlocked laptop, your messages stay private.
Native push on iOS (APNs) and Android (FCM), plus web push for desktop. Notifications carry no message content — your device decrypts the payload locally.
Out-of-band safety numbers let people prove who they're talking to via a QR code. Administrators can sign their staff's keys for an extra "Verified by your organisation" indicator — Signal-style trust, scoped to your firm.
For organisations that need their data to stay on their own infrastructure. Designed with UK / EU data residency, sovereignty, and right-to-erasure in mind from day one.
Modern, fast, mobile-first — the kind of interface staff stop comparing to WhatsApp because it doesn't suffer by comparison. Built for sensitive conversations.
1:1 & group conversations
Everything you expect from a modern messenger, with classification and verification baked into every conversation header. Internal, external, guest — at a glance.
Calls & meetings
Voice, video, group meetings. Recording requires explicit consent from every participant — and the recording is encrypted on the way out, just like the call itself.
Identity you can trust
Out-of-band safety numbers prove who's on the other end. Your administrators can sign their staff's identity keys — so a green "Verified by your firm" badge actually means something.
Compliance & control
End-to-end encryption protects the conversation. The compliance toolkit protects the organisation — so your IT, legal and compliance teams can say yes.
Set an organisation-wide retention floor and ceiling — and layer department-specific overrides on top. Keep Legal's records for seven years while Engineering auto-purges at ninety days. The same controls every regulator already expects.
One click freezes a user's communications from auto-deletion, indefinitely, with an immutable audit trail. Held records cannot be purged by retention rules — and the held user can keep messaging, transparently to them.
Build a discovery manifest scoped by custodian, date range, conversation, team or department. The export is encrypted to a key your compliance officer holds — not us — so you stay zero-knowledge while remaining lawfully accessible.
Daily encrypted backups with an automated restore-verification drill running every night. Documented DR procedure with stated RTO and RPO. The boring stuff, actually done.
Every administrator action — config change, policy update, user-management event, discovery export — appended to a chained log that surfaces tampering on inspection. Auditable from inside the product.
Plug into the identity provider your organisation already runs. Users sign in with their existing credentials; teams and roles can be provisioned and deprovisioned automatically as people join and leave.
Optional, opt-in compliance journalling. When you turn it on, the key to read the archive sits with your designated compliance officer. Never with us. Never duplicated.
Platforms
A real native app on every platform — designed to feel right at home on iOS, Android, and the web. Built once, polished for each.
Coming soon to the App Store
Coming soon to Google Play
Available now
Native iOS and native Android, with the same end-to-end protection and the same compliance toolchain as the web. Staff already know how to use it.
An admin portal that auditors actually like. Five production roles, every capability shown — nothing hidden, nothing behind a feature flag, nothing surprising during procurement review.
Run it on your own infrastructure, behind your firewall, with your backup regime. UK-incorporated operating company, source-escrow available, perpetual licence option. Lock-in is not in the business model.
Who it's for
Consumer messengers were never designed for SRA supervision, FCA principles, CQC oversight or any other regulator that cares how you communicate. This was.
Client-confidential matter discussion with verifiable identity, per-matter access scoping, retention that matches your file-retention policy, and discovery export that holds up in court. SRA outcomes-focused, not feature-bloated.
Recorded and retained communications by department, immutable audit trail, and the option to deploy on your own UK infrastructure. The controls your compliance officer needs without the consumer-app distractions clients dislike.
Encrypted client correspondence, secure file exchange for sensitive documents, and clear separation between personal and professional channels. AML-friendly retention without the headache of email archiving.
Private patient-facing communication that meets confidentiality expectations, with role-based access for clinicians, support staff and external specialists. Data stays where you put it.
Self-hosted deployment on your own perimeter, encrypted end-to-end on top, with the cryptographic posture and audit story your government customer's security reviewer is going to ask for. UK incorporation; no US data-transfer dependency.
UK / EU data residency, GDPR-aligned by design, listed on the path to G-Cloud / Digital Marketplace. Communications that scale from a single contract to a multi-site programme without changing tooling.
Safeguarding-grade confidentiality for sensitive beneficiary conversations, trustee-deliberation records, and donor data — without handing it all to a US-hosted operator. Charity-rate pricing for registered charities.
Defensible records of tenant and landlord communications, retention aligned to ARLA Propertymark / RICS / TPO expectations, and audit trails that hold up under deposit-dispute or redress review. Mobile-first so staff actually use it.
External collaboration
The hard part of secure messaging at a regulated firm isn't keeping outsiders out — it's letting the right ones in, narrowly. Two purpose-built lanes for it.
Invite a client or vendor to ONE secure thread for a specific matter. They claim the invite, get a persistent encrypted identity scoped to that conversation only, and never see the rest of your directory. Revoke with one click when the engagement ends.
For longer engagements where one thread isn't enough — contracted experts, partner-firm staff, seconded advisers. They sign in via your identity provider, get a persistent identity, but can only see the people and teams you've explicitly listed. No accidental directory leakage to anyone external.
Security
The full posture lives on the Trust Center — sub-processors, threat model, DPA, security questionnaire. Below is the short version.
Every message is encrypted on your device before it leaves and only decrypted on the recipient's device. The data that travels through our servers is opaque — not just to outsiders, but to us as well.
Each conversation continuously rotates its encryption keys. Old messages can't be recovered just because someone has a current key — a property commonly known as forward secrecy. We apply it across every conversation.
We don't sell ads, we don't sell data, and our business model has nothing to do with analyzing what you say. Operational telemetry stays operational — error reports, performance metrics, nothing about message content or who you talk to.
Data protection is built in, not bolted on. As a UK-incorporated company we operate under UK GDPR with clear obligations on data minimisation, transparency, and your right to erasure. Your data is treated as yours.
We publish a security.txt contact for responsible disclosure, restrict our certificate authorities via CAA DNS records, enforce HTTPS everywhere with HSTS, and pin certificates in our mobile apps. The fundamentals, done right.
Privacy claims are only as good as what they actually do. We design every feature so that the security model is the same whether you trust us or not — your data stays protected by mathematics, not policy.
FAQ
Yes. Encryption happens on your device before any message leaves it, and decryption happens on the recipient's device after it arrives. Everything in between is opaque ciphertext. This applies to text, voice notes, calls, photos, videos, and files.
Regulated UK organisations and the teams inside them — law firms under SRA supervision, FCA-regulated advisers and fintechs, accountants, healthcare clinics, defence suppliers, local-government contractors, registered charities, lettings agents and property managers, and any SME where "good enough" privacy isn't. Not for casual consumer chat.
Administrators set an organisation-wide minimum and maximum retention. Messages younger than the minimum cannot be "deleted for everyone" — the floor your regulator already expects. Messages older than the maximum are auto-archived and purged on a defined schedule, with legal-hold exclusions for matters under investigation. Department-level overrides let Legal keep records for seven years while Engineering auto-purges at ninety days.
Yes. Administrators can build a discovery manifest scoped by custodian, date range, conversation, team or department, and download it for offline decryption with a key held by your compliance officer — not by us. We stay zero-knowledge throughout, while the export itself holds up to evidentiary scrutiny.
Yes. We integrate with the identity provider your organisation already runs, and we can synchronise users, teams and roles automatically as people join, change role, or leave. Limited-member access lets you give external collaborators a persistent identity scoped only to the teams you want them to see.
Yes. Self-hosting on your own UK / EU perimeter is a first-class option and was designed for from day one. If your organisation has data-residency or sovereignty requirements, get in touch at info@chattriix.com and we'll talk through it.
One-off perpetual licence — see our pricing page. From £8,000 (1-25 seats) up to £75,000+ (200+ seats), plus a 20% annual maintenance fee from year two for security patches, version upgrades and support. Tier reflects deployment shape, not feature gating — every tier ships the full feature set.
Coming to the App Store and Google Play. The web app at colab.chattriix.com is available today with the same security model.
We collect the minimum data needed to operate the service. You can request deletion of your account and associated data at any time. We do not sell data, do not run advertising, and do not analyse the contents of your communications.
30-minute interactive demo — no credit card, your sandbox auto-deletes when you're done. The web client is live for authorised users; iOS and Android apps are coming soon.