SemaFore security and compliance overview

Architecture and encryption

SemaFore uses end-to-end encryption based on the Signal Protocol: X3DH for session establishment and Double Ratchet for forward secrecy. Message content is encrypted on the sender’s device before transmission. The server stores ciphertext only and cannot read message content.

Data minimisation

SemaFore is designed to minimise plaintext data held by the service. The platform processes:

• phone numbers
• display names
• organisation and membership records
• device identifiers and push tokens
• audit metadata needed to operate the service
• billing data for paid organisations through the payment processor

SemaFore does not process message content in plaintext on Attomus-operated systems.

Privacy posture

Personal data stays inside the Attomus boundary except for narrow technical exceptions:

• Apple APNs and Google Firebase Cloud Messaging for push delivery
• Twilio for SMS OTP delivery
• Stripe for billing on paid plans
• Cloudflare for edge protection and encrypted object storage

SemaFore does not use third-party advertising, behavioural tracking, or data-broker services. SemaFore does not currently send transactional emails.

Hosting and residency

Attomus operates the core SemaFore server infrastructure from Coventry, United Kingdom. Account data, organisation data, audit events, and encrypted message ciphertext remain under Attomus control in the UK.

Legal and rights

Attomus Limited is the data controller for SemaFore under UK GDPR. Individuals can contact hello@attomus.com to exercise access, rectification, erasure, restriction, portability, or objection rights.

Request a formal whitepaper

This page is a summary of SemaFore’s current security and compliance posture. For deeper technical review or due-diligence material, contact hello@attomus.com.