Security at TalkJS

How we protect your data

• Encrypt all data at-rest and in-transit. All communication with TalkJS uses encrypted channels (HTTPS); TalkJS simply refuses to work without encryption. The Enterprise Plan contractually guarantees perpetual at-rest encryption.
• Protect application servers and databases, including with firewalls and stringent access controls.
• Offer industry-standard authentication.
• No tracking or analytics software.
• Strict employee access policies. Only key employees get production server access, and only after an extensive vetting process. Employee contracts enforce strict confidentiality.
• Regularly audit our security installation and security-related policies.
• Reduce the vulnerability surface area by outsourcing.

Minimal data collection

TalkJS only collects the minimum amount of user data needed for your chat to function. For example, you only need to send us a user email address if your user opts in to getting email notifications. Otherwise you can just leave the email field empty.

User data is yours. TalkJS only stores and processes data as a service, namely to deliver your chat.

You have access to your chat and user data at all times, using the REST API. In addition, if you'd like to export your data, you can use an export script that downloads all your data and saves it as a JSON file.

No needless tracking

TalkJS respects user privacy and doesn't needlessly track user behavior. To offer a functional chat, TalkJS only stores the following data on the user's device:

• Unsent message drafts are stored in the browser's localStorage. This way, users don't lose the messages that they're writing, in case their tab somehow closes or the page reloads. Data is only ever sent to the TalkJS infrastructure once a user actually sends their message.
• If you use the Popup UI's keepOpen feature: a cookie to determine whether to reopen the popup after the user navigates away.

Any data stored on the user's device is purely for functional purposes, and isn't used for tracking user behavior, analytics, or marketing. This means that TalkJS can be used without asking for 'cookie consent' as defined by the EU's General Data Protection Regulation (GDPR) or similar legislation.

Data storage and hosting

All message and conversation data are stored on the TalkJS servers.

Our servers are fully located within the European Union. In time, TalkJS will expand its server locations also to other geographies, to offer even faster load times. That said, messages sent between two people inside the same region always stay on servers within that jurisdiction.

You can read more about how TalkJS handles your data in our privacy policy and the list of data subprocessors.

Install TalkJS on-premise

For complete control over your chat messaging data, you can also install TalkJS on-premise or on a private cloud. If you install TalkJS on-premise or on a private cloud, the security effort is shared between yourself and TalkJS.

As your chat provider, TalkJS ensures that the software itself meets the latest security standards. At the same time, you would be responsible for configuring the application server that TalkJS runs on and for managing the PostgreSQL database in which TalkJS stores the chat data. We're happy to offer you full support with installing TalkJS on-premise.

An on-premise or private cloud install is available on the Enterprise plan.

Vulnerability disclosure

If you have found a vulnerability or have a security concern, please contact security@talkjs.com. You can encrypt sensitive information using our PGP key.

Please include a proof of concept, a list of tools used (including versions), and their output. We take all disclosures seriously. Once received, we verify each vulnerability and take the necessary steps to fix it. We'll keep you informed as the issue progresses.

TalkJS does not currently have a bug bounty program. Therefore monetary rewards for submissions are not guaranteed.