Back to home

Security

Last updated: February 2026

Early Phase Notice

HansaChat is following best practices in the security world. Please note that the application is currently still in the early phase and not all planned security measures are implemented.

Infrastructure & Hosting

Hetzner Cloud - Germany (EU)

HansaChat is running exclusively on Hetzner cloud servers. It runs on several different zones (Falkenstein and Nuremberg) on a private Kubernetes cluster. All data physically remains in Germany.

Encryption in Transit

HTTPS & TLS Encryption

We use HTTPS and TLS. Your data is encrypted between your browser and our servers. Your provider or any other man-in-the-middle cannot see it.

Encryption at Rest

Your Data

All your data, such as user details or messages, will be stored in a self-hosted MySQL instance. It is located within the private Kubernetes network and password protected. It is not possible to access the database outside of the Kubernetes network. The database is located on an encrypted volume using Longhorn volume encryption.

All free and demo users have shared infrastructure. All paid workflows have their own database.

Your Files

As of February 2026, all files are stored on self-hosted MinIO, located on encrypted volumes as well.

This is expected to change and Hetzner Object Storage will be used at a later point. We plan to use SSE-C when uploading your files to Hetzner storage. See more details about SSE-C here.

User Authentication Policy

  • Passwords are securely hashed using bcrypt with automatic salts. Even if the database is stolen, passwords cannot be directly recovered.
  • 2FA is available and highly recommended to enable.
  • User sessions are protected with encrypted cookies and expire after inactivity.
  • Session IDs are regenerated on login to prevent hijacking.

Access Control & Roles

  • Every workspace member may join any public channel and read its content.
  • Any member of a private channel may invite any user. Users cannot join private channels on their own (except during creation).
  • Workspace admins or owners cannot see the content of private channels unless they are members of it.
  • Workspace admins and owners cannot see direct messages.

Platform Level Access

HansaChat, as the platform operator, has the technical capability to access workspace data, including emails, messages, and channel memberships, strictly for maintenance, troubleshooting, or legal compliance. We respect your privacy and do not access your data without consent or necessity.

Backups & Disaster Recovery

Not Production Ready

As of February 2026, there are no backups and disaster recovery. The app is not production ready and only available for testing.

Backups will be encrypted at rest, stored in multiple zones, and tested regularly once production-ready.

Logging & Monitoring

As of February 2026, HansaChat is using Sentry for error handling and monitoring. This is expected to change in favor of self-hosted options such as Loki/Grafana.

No PII data is being collected.

Tracking & Analytics

HansaChat is collecting only basic information such as your browser name, country and visited pages. We do not log IP addresses or any information that may identify you. All the information stored in the self-hosted service and not transfered to any third parties.

GDPR Compliance

As we host our services in Germany and operate within the European Union, we are fully committed to GDPR compliance. This includes:

  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to data portability
  • Right to object to processing

Questions About Security?

We take security seriously and are happy to answer any questions you may have about our security practices, data handling, or compliance.

igor@hansa.chat

Responsible Disclosure

If you discover a security vulnerability, please report it to us responsibly by emailing igor@hansa.chat. We will investigate all reports and work to address any issues promptly.