Zulip security

We take the trust our users put in Zulip extremely seriously. Our security model is designed to be:

• Secure by default: Your data is protected out-of-the-box.
• Well-documented and easy to understand, so that you’re never caught by surprise.
• Flexible, so that you can configure Zulip according to your organization’s needs.

This page will walk you Zulip's security tools and practices:

• Compliance support
• Data encryption
• Tools to protect your data when you self-host
• How we keep your organization secure on Zulip Cloud
• Zulip's robust 100% open-source system
• Highly configurable access controls
• Our responsible vulnerability disclosure program

Zulip serves your compliance needs

• GDPR and CCPA compliant
• Self-hosting facilitates HIPAA and FERPA compliance
• Message editing and deletion policies
• Global and per-channel data retention policies
• Detailed audit log of administrative actions
• Complete data exports
• Compliance exports

Data is encrypted for your protection

Secure data transmission

All Zulip clients require TLS encryption and authentication over HTTPS for data transmission to and from the server, both on LAN and the Internet.

End-to-end encryption for push notification content

You can require end-to-end encryption for message content in mobile push notifications. If you do, content will be omitted when sending notifications to an app that doesn't support end-to-end encryption.

Secure integrations

Integrations use TLS encryption and authentication over HTTPS for data transmission. Administrators can browse, manage, and deactivate integrations.

Self-hosting: We give you the tools to protect your data

Support for encryption in transit and at rest

Encrypt your database, uploads, and backups at rest on infrastructure you control. All connections between parts of the Zulip system are secured out-of-the-box with encryption, a protected network like a local socket, or both. All of the inter-service connections are also authenticated, to provide a defensive-by-default security posture, and prevent SSRF attacks.

Firewalled and air-gapped deployments

Zulip can be hosted entirely behind your firewall, or on an air-gapped network.

Custom security policies

• Configurable password strength requirements.
• Administrators can revoke and reset any user’s credentials.
• Configurable session length and idle timeouts.
• Configurable log rotation policies.
• Configurable rate limits for API endpoints and authentication attempts.

Zulip Cloud: We keep your organization secure

• All customer data is encrypted in transit and at rest.
• Strong passwords are required with the zxcvbn password strength checker.
• Users can rotate their account credentials.
• To protect your privacy, error handling systems exclude user message content in reports.
• Data and server access is limited to a very small number of staff.

Robust 100% open-source system

Your security team and independent security researchers have access to Zulip’s entire codebase, and can thus fully audit the system for security issues. We are proud of our industry-leading efforts to prevent security issues from being introduced in Zulip.

Development process

• Comprehensive automated testing: The Zulip server has an remarkably complete automated test suite, including complete test coverage in security-sensitive code paths.
• Stable, carefully audited APIs: All clients share a common, highly stable API. API changes are carefully reviewed for security and necessity, and documented in a readable API changelog.
• Disciplined code review: Zulip is known for its unusually disciplined code review process, ensuring that all changes are carefully verified by our maintainer team.

System design

• Static typing: The Zulip server pioneered statically typed Python. Extensive use of both standard and custom linters helps prevent several classes of common security bugs.
• Access control: Access to user data (messages, channels, uploaded files, etc.) in the Zulip server is mediated through carefully-audited core libraries that consistently validate access controls.
• Minimizing supply chain risk: Dependencies are evaluated for quality, maintainability, and necessity before being integrated into the system.

Highly configurable access controls

Identity management your way

• Email authentication, with option to restrict email domains
• OAuth social logins (Google, GitHub, GitLab, Apple)
• SSO with SAML (Including Okta and OneLogin), Microsoft Entra ID, OpenID Connect
• AD/LDAP user and group sync
• SAML user and group sync
• SCIM user and group sync
• Configure whether users can change their names, email addresses, and avatars
• Minimum app version for the desktop app
• 100+ authentication options with python-social-auth (self-hosted)

Configure data access and messaging policies

• Private channels with shared history
• Private channels with private history
• Channel posting permissions
• Direct messaging permissions
• Customize permissions by channel
• Authenticated access to uploaded files
• Custom terms of service and privacy policy
• Configurable waiting period for new users

Custom permissions with comprehensive audit log

• Role-based access control
• Control access by roles, custom groups, and user accounts
• Grant permissions to roles, custom groups, and individual users
• Control who can create channels, subscribe and unsubscribe users, add custom emoji and integrations, and more
• Permissions for editing, deleting and moving messages, and an audit history of these actions
• Permanent long-term audit log of important actions (e.g., changes to passwords, email addresses, and channel subscriptions)

Tightly controlled guest accounts for vendors, partners, and customers

Guest users cannot see any channels, unless they have been specifically subscribed, and can never invite new users. You can limit guests’ ability to see other users, and warn users when they are DMing a guest to prevent accidental disclosures.

Responsible disclosure program

• We operate a private HackerOne vulnerability disclosure program, and credit reporters for issues that were not discovered internally. See the Zulip security reporting policy.
• We publish security releases for all security vulnerabilities, and publicly disclose them on our blog with CVE numbers for tracking.
• Zulip Server security and maintenance releases are carefully engineered to minimize the inherent risks of upgrading software, so there is never a reason to run an insecure version. Announcements of serious vulnerabilities include applicable mitigation guidance.
• We responsibly report vulnerabilities we discover in our upstream dependencies.

Learn more

For more information, check out our guide on securing your Zulip server.