End-to-end encrypted messenger for organizations · self-hosted

Anthill
Your company's chat —
unreadable, even to the server.

The moment you adopt a work messenger, your company's secrets start piling up on someone else's server. Anthill is designed the other way around — encryption and decryption happen only on employees' devices, and the server merely passes along ciphertext it cannot read itself. And even that server gets installed on your own infrastructure.

A purpose-built engine written from scratch in Rust · IETF-standard MLS (RFC 9420) group encryption

Trading your secrets for convenience?

In a typical work messenger, your company's conversations are processed and stored on the vendor's servers. Convenient — but structurally, it means this.

Anthill's server holds no keys. Encryption keys exist only on employees' devices; the server relays ciphertext and stores it briefly — the relay codebase doesn't even contain a decryption module. And that server runs on infrastructure your company owns.

Features

When security makes things inconvenient, people drift back to other apps. So everything a work messenger needs lives inside the ciphertext.

1:1 · groups · announcements

From private conversations to department groups and large company-wide broadcast channels. Keys rotate automatically as members come and go.

Threads · mentions · pins

Thread replies, @mentions, pinned messages — the entire collaboration structure lives inside the ciphertext, so the server can't even see the shape of a conversation.

Encrypted attachments

Documents, images, and video are encrypted on-device before upload. Edits, deletion, emoji reactions, and read receipts included, of course.

Voice & video call signaling

Call setup signals travel end-to-end encrypted, designed to plug straight into your company's WebRTC media infrastructure.

Web · iOS · Android

A single Rust crypto engine drives both the browser (WebAssembly) and the mobile apps (Swift/Kotlin). Behavior never diverges.

Multi-device

Register a new device securely with a single QR scan. Move between desktop and phone on the same account without losing the thread.

Account takeover defense

Phone-number OTP sign-up hardened with registration lock (SIM-swap defense), plus encrypted account backups restored only with your personal recovery key.

Key transparency

Every public-key change lands in a verifiable public log (RFC 6962) — if the server swaps a key behind your back, it gets detected.

Verifiable reporting

Even a server that can't read conversations can cryptographically verify reported messages (message franking). Harassment can't hide behind anonymity.

Security design

We don't say "trust us." We show you — with standards, structure, and verification.

"Don't rent your messenger. Own it."

Anthill isn't a SaaS subscription — it's a messenger that becomes your company's asset. The server, the data, the keys: all yours.

RFC 9420IETF-standard MLS group encryption
0messages the server can read
245automated tests, all passing
Rustentirely built in a memory-safe language

Onboarding

Every organization has different security requirements and infrastructure — so we don't hand you a box. We define the requirements together and build it into your company's infrastructure.

  1. Security consultation

    We review your organization's size, on-premises vs. cloud posture, and authentication policy (SMS gateway, etc.), and scope the deployment together.

  2. Deployment & verification

    We install the server on your infrastructure and configure the web and mobile clients for your organization. If you wish, the third-party crypto audit happens at this stage.

  3. Handover

    We hand over operations with backup and monitoring in place. Feature improvements and security updates continue from there.

Get in touch

Scope and cost depend on your organization's size and infrastructure. Start by telling us what worries you about the messenger you use today — the person who built it reads and replies.