Encryption
At rest
niil encrypts your sensitive data at rest with AES-256-GCM:
- Chat content — messages, conversation titles and uploaded documents.
- Connector credentials — the tokens/keys for external services you connect are encrypted with a separate key.
- Knowledge base documents — encrypted under a per-base key. Whether stored in the database or in your operator's optional EU object storage, only ciphertext is written — so crypto-shred applies there too.
Encryption is always on; it isn't a setting you can forget to enable.
Per-conversation keys → true erasure
Each conversation is encrypted under its own content key, which is itself stored encrypted under the organization's master key. This design gives you crypto-shredding: deleting a conversation drops its key, making the stored ciphertext permanently unrecoverable — a genuine erasure, not just a hidden row. This is what powers GDPR erasure (see Data protection & GDPR).
In transit
All traffic runs over TLS (HTTPS), terminated at the ingress. Session cookies are HTTP-only and marked Secure behind HTTPS, so they're never exposed to scripts or sent over plain HTTP.
Key management
- The at-rest keys are 32-byte keys supplied to the deployment as secrets (kept in your secrets manager, not in the database).
- The chat-content key and the connector-credential key are distinct.
- Because encryption is real, key custody matters: losing a key crypto-shreds the data it protects. Operators are guided to back up key material separately from the data it encrypts.
The result: even someone with raw access to niil's storage sees only ciphertext, not your conversations, documents or credentials.