What about user data security?
Every aspect of TalkJS has been designed with security and privacy in mind. We foster a security-conscious engineering culture to ensure that we're always ahead of the curve with this. For example, all communication with TalkJS is forced to go over encrypted channels (HTTPS) — TalkJS simply refuses to work without encryption.
We strongly recommend customers use Identity Verification to ensure that malicious users cannot peek into other users' accounts. We protect our application servers and our database using industry-standard techniques including firewalls, stringent access controls and sane employee policies.
TalkJS only collects the minimum amount of user data that is necessary to function, and we consider the data to be yours, not ours. Also read more about all this on our page about the EU General Data Protection Regulation (GDPR) and our list of user data subprocessors.
Our security-first culture
We cultivate a team culture that is highly focused on security. All employees treat customer data as a liability, not an asset. The data is your data, that we store for you as a service.
For example, we carefully designed all APIs such that TalkJS never collects more than the absolute minimum of user data necessary to function. For example, you only need to send us email addresses if you need TalkJS to send email notifications.
Here's a selection of steps that we take to ensure that TalkJS is built and operated at the highest levels of security and user privacy:
- All data is encrypted at-rest and in-transit
(note: we contractually guarantee perpetual at-rest encryption in our Enterprise Plan) - No tracking or analytics software is in place
- We regularly audit our security installation and our security-related policies
- Only key employees get production server access, and go through an extensive vetting process first. Employee contracts enforce confidentiality with respect to this access.
- We reduce the vulnerability surface area by outsourcing
User data Privacy
TalkJS respects user privacy and does not needlessly track user behavior in any way. TalkJS stores the foll0wing data on the user's device:
- Unsent message drafts are stored in the browser's LocalStorage. This way, users do not lose messages that they were in the middle of composing if somehow the tab closes or the page reloads. These drafts are never sent to TalkJS infrastructure until the user sends the message.
- If you use the Popup's "keepOpen" feature, a cookie is stored to determine whether to reopen the popup after the user navigates.
These cookies are purely functional, and not used for tracking user behavior, analytics, or marketing. This means that TalkJS can be used without asking for "cookie consent" as defined by GDPR and comparable legislature.
Installing TalkJS on-premise
The TalkJS Enterprise Plan permits installing TalkJS on your own servers. If you do this, the security effort is shared between TalkJS and our customer. TalkJS, of course, needs to ensure that the software itself is not vulnerable. At the same time, our customer is responsible for keeping the application server that TalkJS will run on configured well with no backdoors.
Similarly, TalkJS stores its data in a customer-managed PostgreSQL database which will need to be secured and properly configured by the customer. We'll be glad to help with this, of course, but in general, in an on-premise chat situation, TalkJS will be as secure as your infrastructure is.