Semafore Docs
Back to semafore.io

Compliance & Trust

Whitepaper

Semafore Security and Compliance Overview

Architecture and Encryption

Semafore uses end-to-end encryption (Signal Protocol: X3DH key exchange + Double Ratchet algorithm) to ensure that message content is encrypted on the sender’s device before transmission to the server. The server holds ciphertext only and has no access to plaintext messages or decryption keys.

Data Minimisation

Semafore is designed with data minimisation in mind. The platform collects only:

  • Phone numbers (for user registration and invitation)
  • Device identifiers (for device trust and approval workflow)

Semafore does not collect:

  • Message content or metadata (beyond broadcast recipient count)
  • Location data
  • Contact lists or address books
  • Browsing history
  • Biometric data
  • Profiling or behavioural analytics data

Compliance Under UK GDPR

Data Controller Attomus Limited (company number 06517654, registered in England and Wales) is the data controller under UK GDPR Article 4(7).

Legal Bases for Processing Attomus processes personal data under the following legal bases:

  1. Contract Performance (Article 6(1)(b)): Processing of phone numbers and device identifiers is necessary to provide the messaging service.
  2. Legitimate Interests (Article 6(1)(f)): Processing of server operational logs (IP addresses, request timestamps) is necessary for security, DDoS protection, and infrastructure maintenance.

Data Subject Rights Individuals have the right to request access, rectification, erasure, restriction, portability, or objection. Requests should be sent to hello@attomus.com with the subject line “Data Rights — Semafore”. Attomus will respond within 30 days.

Data Retention

  • Audit log: 12 months (configurable shorter per organisation)
  • Server operational logs: 30 days
  • Message queue: 7 days (undelivered messages only)

Data Residency

All Semafore server infrastructure — MongoDB, PostgreSQL, and Redis — runs on Attomus-owned hardware in the United Kingdom. Data does not leave UK jurisdiction in the course of normal platform operation. Attomus does not use third-party hyperscale cloud providers for data storage or processing. The entire server estate sits behind Attomus’s own network boundary and firewall, under direct Attomus operational control.

Third-Party Processors

The following services act as data processors under UK GDPR Article 28 and operate under Data Processing Agreements (DPAs):

ServicePurposeData Processed
Apple APNsiOS push notificationsDevice token, notification signal (no content)
Google Firebase Cloud MessagingAndroid push notificationsDevice token, notification signal (no content)
CloudflareHosting, edge routing, DDoS protectionRequest metadata (IP, timestamp, status code)

No Data Sharing for Commercial Purposes Semafore does not sell, rent, or share personal data with third parties for commercial, marketing, or analytical purposes.

Incident Response and Breach Notification

In the event of a security incident or suspected data breach, Attomus will:

  1. Assess the scope and impact of the incident.
  2. Notify affected organisations without undue delay and, where required, within the timeframe specified by UK GDPR Article 33.
  3. Cooperate with regulatory authorities and provide evidence of the breach and remedial actions.

Contact: hello@attomus.com

Request a Formal Whitepaper

This page provides a summary of Semafore’s security and compliance posture. For detailed technical documentation, threat modelling, or formal security certification requirements, a comprehensive PDF whitepaper is available on request.

A formal security and compliance whitepaper is available as a PDF on request. Contact hello@attomus.com.