Beta Version: This is a beta release. Data loss may occur and we cannot be held liable for any lost data. Use at your own risk.

Security

Industry-leading encryption to protect your conversations

Your Messages Are Truly Private

Sleutl uses the Signal Protocol - the same encryption trusted by journalists, activists, and security experts worldwide. We cannot read your messages, and neither can anyone else.

End-to-End Encrypted
Zero Knowledge
Perfect Forward Secrecy

End-to-End Encryption

Every message is encrypted before it leaves your device. The encryption keys exist only on your device and the recipient's device - never on our servers.

  • AES-256 for symmetric encryption
  • Curve25519 for key exchange
  • HMAC-SHA256 for authentication

Perfect Forward Secrecy

Each message uses unique encryption keys. Even if one key is compromised, it cannot decrypt past or future messages - each conversation starts fresh.

  • New keys for every message
  • Double Ratchet Algorithm
  • Compromised keys are useless

Signal Protocol

We use the Signal Protocol (X3DH + Double Ratchet) - the gold standard in secure messaging, independently audited and used by billions worldwide.

  • Extended Triple Diffie-Hellman (X3DH)
  • Double Ratchet key management
  • Async-safe key exchange

Zero Knowledge

We're designed so we cannot read your messages even if we wanted to. No backdoors, no master keys - mathematical privacy you can verify.

  • Server sees only encrypted data
  • No metadata logging
  • Cannot comply with content requests

How the Signal Protocol Works

A step-by-step look at how your messages are protected

1

Key Generation

When you create an account, your device generates multiple cryptographic key pairs: an identity key (long-term), signed prekeys, and one-time prekeys. Your private keys never leave your device.

2

Key Exchange (X3DH)

When you start a conversation, the Extended Triple Diffie-Hellman protocol establishes a shared secret. This happens without either party needing to be online simultaneously, using prekeys uploaded to our server.

3

Double Ratchet

Once a session is established, the Double Ratchet algorithm derives new encryption keys for each message. This provides forward secrecy and break-in recovery - compromising one key doesn't affect others.

4

Message Encryption

Your message is encrypted using AES-256 with the current session key, authenticated with HMAC-SHA256. The encrypted payload is sent to our server, which delivers it without being able to read it.

5

Decryption

Only the recipient's device has the keys to decrypt the message. After decryption, the session ratchets forward, ensuring each message has unique encryption.

Comprehensive Data Protection

Security isn't just about encryption - it's about protecting all aspects of your data

Transport Security

All connections use TLS 1.3 with strong cipher suites. Certificate pinning prevents man-in-the-middle attacks.

Database Encryption

Personal data (email, phone) is encrypted at rest using AES-256. Even database breaches don't expose your information.

Secure Authentication

Passwords are hashed using bcrypt with high work factors. JWT tokens are short-lived and securely signed.

Minimal Metadata

We minimize metadata collection. We don't log IP addresses, timestamps of messages, or communication patterns.

Local Key Storage

Encryption keys are stored in your browser's secure storage (IndexedDB with encryption). They never leave your device.

Disappearing Messages

Set messages to auto-delete. Once expired, they're permanently removed from both devices and our servers.

Security Comparison

See how Sleutl compares to other messaging platforms

Feature Sleutl WhatsApp Telegram iMessage
E2E Encryption by Default
Signal Protocol
Perfect Forward Secrecy Partial
No Metadata Collection
Encrypted Group Chats
Disappearing Messages
No Phone Number Required
Independent from Big Tech

Security FAQ

Can Sleutl read my messages?
No. Messages are encrypted on your device before being sent, and only the recipient has the keys to decrypt them. We never have access to your message content, and this is mathematically provable - not just a policy promise.
What happens if Sleutl is hacked?
Even if our servers were compromised, attackers would only see encrypted data they cannot decrypt. Your private keys exist only on your device. Personal account data (email, phone) is additionally encrypted at rest, providing another layer of protection.
Can law enforcement access my messages?
We cannot provide message content even if legally compelled because we don't have the keys to decrypt it. We may be required to provide limited account information (encrypted email/phone) if presented with valid legal requests, but never message content.
What if I lose my device?
Your encryption keys are stored on your device. If you lose access, you'll need to re-establish secure sessions with your contacts. We're working on optional encrypted backup features, but we'll never compromise security for convenience.
Are group chats encrypted?
Yes. Group messages are encrypted using sender keys - each message is encrypted once and distributed to all members. Each member has their own key to decrypt messages, maintaining full end-to-end encryption for all group communications.
How can I verify Sleutl is secure?
We use the well-documented Signal Protocol, which has been independently audited by security researchers worldwide. Our implementation follows the specification precisely. We're working toward making our code open source for community verification.

Found a Security Issue?

We take security seriously. If you discover a vulnerability, please report it responsibly.

security@sleutl.com

Ready for True Privacy?

Start using Sleutl today and communicate with confidence.

Get Started