Six pillars. No shortcuts.
These are the practices we run by, written so an engineer at your company can verify them on a call.
Encryption that does not bend
Every byte of customer data is encrypted at rest with AES-256 and in transit with TLS 1.2 or higher. We never store secrets in plaintext, including credentials we hold for your integrations.
- AES-256 encryption at rest on every database, object store, and backup volume.
- TLS 1.2+ on every public endpoint with HSTS preload, perfect forward secrecy, and modern cipher suites.
- Integration credentials (Shopify, WordPress, Stripe, and others) encrypted with AWS KMS-equivalent envelope encryption.
- Encryption keys rotated quarterly. Master keys never leave the HSM.
Access controls with teeth
Production access is gated by SSO + MFA, audited quarterly, and logged immutably for at least 12 months. We follow the principle of least privilege religiously, including for ourselves.
- MFA is required for every engineer with production access. No exceptions.
- SSO via Google Workspace or Microsoft Entra ID for your team. SAML 2.0 supported on Enterprise.
- Role-based access control with admin / supervisor / agent roles, scoped by department.
- Quarterly access reviews. Anyone who has not used a permission in 90 days loses it.
- Immutable audit log retained for 12 months. SIEM forwarding available on Enterprise.
Workspace isolation at the row level
Customer data is isolated using Postgres row-level security. Even an engineer with database access cannot query across workspaces without explicit, logged escalation.
- Postgres RLS policies on every customer-facing table.
- Application-level workspace scoping in every API endpoint.
- Cross-workspace queries blocked by default. Escalation requires a second approver and a logged justification.
- Static analysis on every PR prevents new endpoints from skipping workspace scoping.
AI that never trains on your data
Our AI is self-hosted and private by default. Customer conversations are not used to train models, and they are not sent to OpenAI, Anthropic, or any third-party model provider for the features that use AI.
- Chat, ticket, and phone AI run on infrastructure we operate. Your conversations stay in your account and never leave our infrastructure.
- Customer data is used at inference time only, never for training or fine-tuning.
- Retrieval-augmented generation (RAG) grounds responses in the customer's own knowledge base, so the model cannot invent facts.
- If you connect an external model (OpenAI, Anthropic), it is opt-in and we surface the data flow in the workspace.
Infrastructure we run
We run our own infrastructure. Self-hosted phones, self-hosted AI, and self-hosted everything that matters, so the parts that touch your data stay under our control.
- Compute and database hosted on DigitalOcean in SOC 2 Type II-audited US and EU regions.
- Carrier-grade SIP on our own voice infrastructure, so calls stay on systems we operate.
- AI inference runs on self-hosted infrastructure on a dedicated private network.
- Object storage encrypted at rest. CDN delivery via Cloudflare with secure presigned URLs.
Resilience and backups
Encrypted backups every hour, restored monthly to validate. Designed for 99.99% availability with documented incident response.
- Hourly encrypted Postgres backups retained for 30 days.
- Monthly disaster recovery drill that restores from cold backup and validates row-level integrity.
- Documented incident response plan with named on-call rotation and a 30-minute paging SLA.
- Public status page at status.message.com with uptime and incident history.
Where we stand on the alphabet soup.
We list what is shipped, what is in progress, and what is out of scope. We do not list certifications we have not earned.
Found a vulnerability?
Email [email protected] with a clear write-up. We acknowledge within 24 hours, triage within 72, and follow up with a patch ETA and a CVE if applicable.
We do not run a public bug bounty yet, but we pay for valid reports in line with severity. Critical issues are paid the same day we triage them.
Please do not test against live customer data. We will provision a sandbox workspace within an hour of your first email if you need one.
Security questionnaire?
Send the questionnaire (SIG, CAIQ, custom) to [email protected]. We turn most responses around in two business days and can sign an NDA first if needed.
SOC 2 report?
SOC 2 Type II is in progress. The interim Type I report is available under NDA on request.
Request the package →One inbox. Audited stack.
Trial Message free for 14 days. Your data lands in an isolated workspace from minute zero, with the same encryption and access controls as our largest customers.
Start free trial →