Anthill
Your company's chat —
unreadable, even to the server.
The moment you adopt a work messenger, your company's secrets start piling up on someone else's server. Anthill is designed the other way around — encryption and decryption happen only on employees' devices, and the server merely passes along ciphertext it cannot read itself. And even that server gets installed on your own infrastructure.
A purpose-built engine written from scratch in Rust · IETF-standard MLS (RFC 9420) group encryption
envelope #4821 → 9f 3a e4 07 1c b8 52 d6 40 8e f1 2b 77 c9 05 aa 63 18 … (1,208 bytes) envelope #4822 → 5d c2 08 91 fe 34 6b a7 e0 19 4f 88 d3 2c b5 71 0a 96 … (312 bytes)
· Fictional example data. Not just the message bodies — the thread structure, who was mentioned, and what's pinned all live inside the ciphertext, invisible to the server.
Trading your secrets for convenience?
In a typical work messenger, your company's conversations are processed and stored on the vendor's servers. Convenient — but structurally, it means this.
- Product plans, HR conversations, contract terms — your company's most sensitive discussions accumulate on someone else's server.
- If the vendor's server is breached, your entire conversation history is in the blast radius — even though your company did nothing wrong.
- Policy changes, price hikes, shutdowns — someone else decides the fate of your company's communication.
Features
When security makes things inconvenient, people drift back to other apps. So everything a work messenger needs lives inside the ciphertext.
1:1 · groups · announcements
From private conversations to department groups and large company-wide broadcast channels. Keys rotate automatically as members come and go.
Threads · mentions · pins
Thread replies, @mentions, pinned messages — the entire collaboration structure lives inside the ciphertext, so the server can't even see the shape of a conversation.
Encrypted attachments
Documents, images, and video are encrypted on-device before upload. Edits, deletion, emoji reactions, and read receipts included, of course.
Voice & video call signaling
Call setup signals travel end-to-end encrypted, designed to plug straight into your company's WebRTC media infrastructure.
Web · iOS · Android
A single Rust crypto engine drives both the browser (WebAssembly) and the mobile apps (Swift/Kotlin). Behavior never diverges.
Multi-device
Register a new device securely with a single QR scan. Move between desktop and phone on the same account without losing the thread.
Account takeover defense
Phone-number OTP sign-up hardened with registration lock (SIM-swap defense), plus encrypted account backups restored only with your personal recovery key.
Key transparency
Every public-key change lands in a verifiable public log (RFC 6962) — if the server swaps a key behind your back, it gets detected.
Verifiable reporting
Even a server that can't read conversations can cryptographically verify reported messages (message franking). Harassment can't hide behind anonymity.
Security design
We don't say "trust us." We show you — with standards, structure, and verification.
-
Standard cryptography RFC 9420
Built on openmls, a vetted implementation of the IETF-standard MLS (Messaging Layer Security) group encryption protocol. Never rolling our own crypto is a house rule.
-
A structurally blind server
The relay server is a separate codebase that contains no decryption module at all. Not "we don't look" — "we can't look," proven by the code structure itself.
-
Key transparency RFC 6962
A public log — the same mechanism as Certificate Transparency — records every key change. Monitoring tools cross-check signed checkpoints to catch a lying server (key substitution, split views).
-
Verification & audits
245 automated tests and repeated adversarial security reviews; every finding was fixed and locked in with regression tests. Before production rollout, we recommend — and help arrange — an independent third-party cryptographic audit as part of onboarding.
"Don't rent your messenger. Own it."
Anthill isn't a SaaS subscription — it's a messenger that becomes your company's asset. The server, the data, the keys: all yours.
Onboarding
Every organization has different security requirements and infrastructure — so we don't hand you a box. We define the requirements together and build it into your company's infrastructure.
-
Security consultation
We review your organization's size, on-premises vs. cloud posture, and authentication policy (SMS gateway, etc.), and scope the deployment together.
-
Deployment & verification
We install the server on your infrastructure and configure the web and mobile clients for your organization. If you wish, the third-party crypto audit happens at this stage.
-
Handover
We hand over operations with backup and monitoring in place. Feature improvements and security updates continue from there.
Get in touch
Scope and cost depend on your organization's size and infrastructure. Start by telling us what worries you about the messenger you use today — the person who built it reads and replies.