Confidential conversations
ZafeMessenger is a self-hosted (on-prem or private cloud), licensee-controlled secure messaging and file-transfer platform.
Unlike consumer or vendor-operated services (Telegram, Signal, WhatsApp), your organization operates the servers, owns the keys, and defines the policies.
There is no dependency on third-party clouds and no vendor access path, including Zafehouze.
This architecture eliminates exposure to FISA-702 and similar extra-territorial surveillance because no control plane or data plane is operated by a U.S. entity and no service metadata is available outside your boundary
Who have access to my conversation ?
There are already dozens of data-privacy and data-protection regulations in place, to govern how to treat sensitive data and especially any type of information relating to people or personally identifiable information, such as the European GDPR regulative, that quite clearly defines the boundaries.
We do not mean to defame any other platform, they are providing a very valuable service and do it for free, many many people the world over benefit from their contribution, but as a professional user you shouldn’t use it to discuss or convey any personally identifiable information, primarily because you can’t guarantee where your data is transmitted or stored.
History on the other hand have also shown us that your data is not always kept confidential, conversations have been leaked, data have been compromised or used by the system owners (like “Big M” and the “G boys”), despite their promises of keeping your data secure, your private conversations have still been compromised and mined – with the sole purpose to convey “related” advertising to you.
The ZafeMessenger platform
ZafeMessenger is using the ZafePass IAM Security Policy Engine and every user can be authenticated and verified with an extreme level of accuracy, where any user on the system can be verified based on where they are, what equipment they are using and when are using it, so hacking into the ZafeMessenger platform is virtually impossible.
The ZafeMessenger servers are custom built SSH servers, that uses all the same technology and techniques for keeping the transmissions a secret as SSH is known for, combined with a unique platform design to minimize message traversal through the system, wasting bandwidth in the process, so no matter how busy a channel becomes it will not place a heavy load on all servers in the infrastructure.
There is virtually no ongoing maintenance needed for the servers, they have built in system janitors that does most of the jobs, the only thing needed for the Admins is to keep an eye on database disk usage and load metrics, to see if another server is needed.
ZafeMessenger is built to scale, it supports all known methods for load balancing and load sharing as well as support for port translation, so you can run thousands of ZafeMessenger back-end servers on a single IP address.
The ZafeMessenger server is a native 64-bit application and runs as a Windows Service, but is compatible with Wine, so they can run on most Linux, BSD and MacOS based servers as well, should you not feel comfortable running a Windows based server facing the internet.
Business benefits (in plain English)
1) Protect core value (IP, negotiations, client data)
- Stops the leakage channel most boardrooms worry about—consumer chat apps and personal clouds—by offering a frictionless, sanctioned alternative that’s actually safer and under your control.
- Mitigates extra-territorial risk (FISA-702, CLOUD Act etc.): no vendor-operated infrastructure to subpoena.
2) Compliance & governance (without giving up privacy)
- Maps cleanly to GDPR, NIS2, and sector frameworks: clear purpose limitation, data minimization (no default retention), controllership clarity.
- Discovery & legal hold (if required): operate inside your legal boundary; if your policy requires journaling, you decide how and where to implement it—under your control.
3) Third-party collaboration, safely
Contractor/partner access in minutes via policy, not new VPNs. Set expiry and scope.
No address book scraping, no phone-number identities, no unintended “social graph” leakage.
4) Lower risk → lower cost
Fewer incidents, fewer investigations: cut the forensic cost of BYOD chat sprawl and shadow IT.
Cyber-insurance & audit posture improves: defensible controls, clear data-residency, and proof that sensitive communications don’t traverse third-party clouds.
Key Features & Security Benefits
- Bulletproof Security & Zero Attack Surface
- Built on ZafePass Prevent & Protect – No exploitable vulnerabilities, fully hardened against breaches.
- No Eavesdropping – Everything encrypted to highest security standards (EE2E).
- No Data Leakage – All communication remains within a fully ‘licensee-controlled’ environment.
- Black Communication Protocol – Minimal metadata exposure, eliminating interception risks.
- Advanced Access Controls & User Management
- Single & Multi-Channel Support – Seamless messaging across private and public channels.
- Strict Invitation-Only Access – Unauthorized users cannot join or intercept communications.
- Granular Retention Policies – Choose any period between zero-retention mode (nothing stored) or infinite archiving.
- Decentralized & User-Managed Interactions – Easily manage access and permissions at all levels.
- Seamless Integration & Compliance
- Designed for Critical Infrastructure – Securely integrates with IT and OT environments.
- Regulatory Compliance – Aligns with GDPR, NIS2, CIS18, and Zero Trust security models.
- Scalable & Easy to Deploy – No complex setup required, minimal IT overhead.
- No External Dependencies – Eliminates supply chain risks from third-party providers.
How ZafeMessenger differs from Telegram / Signal / WhatsApp and other cloud based services
Dimension | Consumer apps | ZafeMessenger |
Hosting & control | Vendor-hosted; Terms of Service & jurisdiction controlled by provider | Self-hosted in your DC/private cloud; your jurisdiction, your controls |
Key ownership | Keys generated/managed by app; server-side metadata persists | Customer-owned keys, no vendor escrow, no shared control; no server-side message retention by default |
Identity model | Phone numbers; contact discovery leaks graph | Enterprise identities (AD/IdP), device fingerprint binding, ABAC/RBAC policies |
Data sovereignty | Depends on vendor POPs & legal nexus | Sovereign by design—you choose country/region; no third-party POPs |
Integration | Limited enterprise workflows | Deep enterprise integration (IdP, DLP*, SIEM*, ZafePass Comply-to-Connect); temporary 3rd-party access with policy |
Attack surface | Internet-exposed vendor endpoints | Dark by default when combined with ZafePass micro-perimeters; no routable ports to the public internet |
The ZafeMessenger client
The ZafeMessenger client is a relatively clean user interface, looking a bit like the Windows File Explorer, where the communications channels are divided into three groups: Direct, public and private channels, with each channel represented by the channel logo.
When opening a channel, another free-floating window opens, allowing for the user having multiple channels open at the same time, but being able to arrange them in a manner on the desktop that makes sense to the user.
The channels also support sending binary files such images or documents, where an thumbnail of the attachment will shown in the channel and the attached file can be downloaded, for convenience a list of the channel media archive can be used to find a specific attachment from a point in the past, which makes it a lot easier to find a specific file that was send by “someone” sent “some time ago”..
What’s the big difference ?
You control the data, you know where it is at all times, you know what data is stored on which servers and where it’s backed up, so data that cannot be stored outside the country simply won’t and conversations you don’t want archived at all also won’t, you know who have access to your data at all times.
Discretion is paramount
Let’s consider for a moment, that you need to have a highly confidential conversation with a group of people within your company, about a new employee for example.
You can then create a channel, make it private and invisible, then invite the people you want to include in the conversation. You know that when you search the User Directory and find “Bernie Sanders”, it’s the real one, not someone who just happens to have the same name.
Also, you don’t need to have the phone number of the person to find them, everybody in the company will be in the User Directory with their real names.
No-one in the company can see the channel you just created, not even those you have invited, they are subscribed to the channel when you add them (for invisible channels), so you have a little more wiggle-room when it comes to naming the channel, as no-one that is unrelated can see it.
For this channel, you can set to be “No retention”, so those who are in the channel when something is discussed will see it, anyone joining later won’t, that certainly makes it possible to have very confidential conversations.
The ZafePass client itself only stores the conversations that are open in memory, nothing is written on disk and thus also – nothing can be recovered should you loose your laptop.
Accountability
The polar opposite to this are the public channels, with longer retention times like in the months or forever, where everything written or files shared in the channel will be available for all members to see, also new members, this makes it for a highly accountable situation, where there can be no doubt about who wrote what, when and who sent a file.
Guest access
ZafeMessenger also supports “Guest” access, so a person not a part of the organization can be defined as a less privileged user.
A guest can’t access the channel lists and therefore can’t manage their own subscriptions, so guests can’t access the “public” channels. When it comes to private channels, guests are automatically subscribed to private channels when they are assigned membership.
Guests can’t access the User Directory either, so a guest can’t initiate a direct correspondence with anyone, but they can answer if a regular user initiates a direct conversation.
This particular functionality can be very handy, for an insurance company for example or a bank, the account manager can communicate directly with the customer and also invite other employees to join the correspondence, but the customer can’t access the general messaging groups available to the employees.
Compatibility
The ZafeMessenger client is Wine compatible, so even though it’s a native Windows application, it doesn’t rely on .NET or any other 3rd party libraries and can be run directly on Linux or MacOS as well (using Wine).