HAMAHAMA
UZ RU EN
KNOWLEDGE BASE

Data protection in a corporate messenger

Conversations and files become truly secure only when they are guarded by several independent layers rather than one. Here is what each layer does and what to look for when choosing a tool.

In short

Data protection in a corporate messenger is not a single technology: E2E encryption, TLS 1.3 in transit, an encrypted local database (SQLCipher), keys in the OS secure store and RBAC access control all have to work at once. If one link is missing, the whole chain breaks.

Why one layer of encryption is not enough

For many people, data protection in a corporate messenger comes down to one question: "are the messages encrypted?" In reality a message passes through several states during its life: it is created on your device, sent over the network, routed on the server and stored on the recipient's device. Each state has its own threat — and each needs its own protection.

That is why a serious solution is built around defense in depth: even if one layer is breached, the data stays protected by the next. Let's walk through the key layers in order.

End-to-end encryption of messages

End-to-end (E2E) encryption encrypts a message on the sender's device and decrypts it only on the recipient's device. The server sees only the encrypted bytes and cannot read the text. The modern standard is the Signal protocol: key agreement via X3DH and a fresh key for every message via the Double Ratchet.

  • Forward secrecy — even if one key is compromised, older messages stay protected.
  • Group chats — typically encrypted with a symmetric group key (AES-256-GCM).
  • The server never sees the content — this is the core difference between E2E and ordinary "server-side encryption".

Data on the device (encryption at rest)

E2E only protects data "in transit". But once a message is received, it is stored in the device's local database. If that database is in plaintext, the entire message history can be read from a stolen or uncontrolled laptop.

The fix is to encrypt the local database. On desktop clients a common approach is SQLCipher: a layer on top of SQLite where the whole database file is written to disk encrypted with AES. Even if the database file is stolen, it cannot be opened without the key.

Important: an encrypted database only makes sense if the key is stored securely. If the key simply sits in a file next to the database, the encryption is almost pointless.

Keys in the OS secure store

The most sensitive element is the encryption keys. They must not be sent to the server, appear in logs, or sit in a plain configuration file. The right approach is to hand the keys to the operating system's dedicated secure store:

  • Windows — DPAPI / Credential Manager, bound to the user session.
  • macOS — Keychain.
  • Linux — Secret Service (keyring).

Then only the correct user, and only within their own session, can unlock the key. Someone who logs in under a different profile or mounts the disk separately cannot reach it.

Protection in transit, access control and data residency

Three more important elements complete the defense in depth:

  • TLS 1.3 — all traffic between the device and the server travels through an encrypted channel. This protects metadata and authentication tokens from man-in-the-middle attacks.
  • RBAC (role-based access control) — defines at the role level who can access which channels, documents and modules. It guards against insider threats and excessive privileges.
  • Data residency — whichever country the servers sit in, that jurisdiction applies. For organizations in Uzbekistan, keeping data inside the country or in their own infrastructure is a sovereignty requirement.

A practical checklist

  • Are messages truly E2E (the server never sees plaintext)?
  • Is the local database encrypted on disk (at rest)?
  • Are keys stored in the OS secure store?
  • Does all traffic run over TLS 1.3?
  • Is access restricted by roles (RBAC)?
  • Where is the data physically stored, and who is the provider?

How HAMA handles this

HAMA — a single secure platform for organizations in Uzbekistan — combines all of the layers above:

  • Messages are E2E encrypted with the Signal protocol (X3DH + Double Ratchet); groups use AES-256-GCM.
  • The local database is encrypted with SQLCipher, so data is protected at rest on the device.
  • Encryption keys are stored in the operating system's secure store.
  • All transport runs over TLS 1.3 only.
  • Access is governed by RBAC; available modules include the messenger, video conferencing, HR/org structure, helpdesk and more.
  • The server is hosted in a secure data center in Uzbekistan or in the organization's own infrastructure (on-premise) — data stays in Uzbekistan.

HAMA is also preparing for compliance with O'z DSt ISO/IEC 27001:2023 and the PP-167 requirements (critical information infrastructure).

Frequently asked questions

If there is E2E encryption, do I still need to encrypt the local database?

Yes. E2E protects a message only while it travels across the network, but the received message is stored on the device. If the local database is in plaintext, it can be read from a stolen laptop. So the database must be encrypted (for example with SQLCipher), and the key kept in the OS secure store.

Where are the encryption keys stored?

With a sound approach the keys live neither on the server nor in a plain file. They are held in the operating system's secure store — Windows DPAPI/Credential Manager or macOS Keychain — and are unlocked only within the correct user's session.

Why does it matter where the data physically resides?

The jurisdiction and laws of the country where the servers sit determine who can access the data. For organizations in Uzbekistan, keeping servers inside the country or in their own infrastructure matters for sovereignty and PP-167 requirements.

How does HAMA protect data?

HAMA combines E2E encryption on the Signal protocol (X3DH + Double Ratchet), TLS 1.3 in transit, a SQLCipher local database, keys in the OS secure store and RBAC access control. The server is hosted in Uzbekistan or on-premise.

Related articles

HAMA

What is End-to-End encryption?

 HAMA

What is TLS 1.3 and why it matters?

 HAMA

What is data sovereignty?

Ready to protect your organization's data?

The HAMA team will show you how to build defense in depth for your infrastructure. If you have questions, get in touch.

Contact us