Security Overview

Security in Mattermost software is continually reviewed by developers, IT administrators and security researchers accountable for deploying the software in their organizations.

Multiple rounds of penetration testing and security analysis, in addition to internal reviews, have produced a long list of safeguards, processes, policies, and compliance features, please see:

To expand on each:

Security Features

Mattermost offers a host of features to help keep your private cloud communications secure.

Private Cloud Deployment with Secure Mobile Apps

Centralized Security and Administration

Transmission Security

  • Mattermost supports TLS encryption using AES-256 with 2048-bit RSA on all data transmissions between Mattermost client applications and the Mattermost server across both LAN and internet.
  • Connections to Active Directory/LDAP can be optionally secured with TLS or stunnel (E10).
  • Encryption-at-rest is available for messages via hardware and software disk encryption solutions applied to the Mattermost database, which resides on its own server within your infrastructure. To enable end user search and compliance reporting of message histories, Mattermost does not offer encryption within the database.
  • Encryption-at-rest is available for files stored via hardware and software disk encryption solutions applied to the server used for local storage or storage via Minio.
  • Encryption-at-rest is available for files stored in Amazon’s proprietary S3 system using server-side encryption with Amazon S3-managed keys (E20) when users choose not to use open source options.
  • Option to exclude message contents from push notifications to comply with strict compliance policies, such as US HIPAA standards.
  • Ability to exclude or include the contents of messages in push notifications to avoid disclosure on locked mobile screens, and via relay servers from Apple and Google when sending notifications to iOS or Android mobile apps (relevant to compliance standards such as HIPAA)

Integrity & Audit Controls

  • By default, Mattermost stores a complete history of messages, including edits and deletes, along with all files uploaded. User interface actions for “deleting” messages and channels remove the data only from the user interface; the data is retained within your database. If your compliance guidelines require it, you can turn off users’ ability to edit and delete their messages after they are posted.
  • Custom data retention policies on messages and file uploads is available (E20). A daily data deletion job can be scheduled that deletes messages from the database and user interface, and file uploads from local file storage or Amazon S3, which exceed the specified retention period.
  • The output and archives of server logs can be saved to a directory of your choice. Mattermost server logs plus logs from your web proxy can provide an end-to-end history of system usage.
  • Ad hoc compliance reports of messaging by user, date range, and keyword, including edited and deleted messages are available (E20). To protect against unauthorized use, all ad hoc report requests are logged.
  • Daily compliance reports compatible with 3rd party compliance solutions such as Global Relay are also available (E20).

Authentication Safeguards

Access Control Policy

Security Updates

Security updates address newly discovered attacks reported to Mattermost, Inc. by the security research community. Disclosures are made confidentially, under the Mattermost responsible disclosure policy, allowing for Mattermost, Inc. to provide security updates to the community prior to public disclosure.

For more information, please see:

Security Policies

For information on internal security policies, development guidelines, business continuity plans and common security-related questions from enterprises, please see our Security Policies documentation.

HIPAA compliance

Deploying Mattermost as part of a HIPAA-compliant IT infrastructure requires a deployment team trained on HIPAA-compliance requirements and standards.

  • Mattermost offers HIPAA-relevant Technincal Safeguards including:

  • HIPAA-compliant deployments commonly consider the following:

    • Omitting the contents of messages from mobile push and email notifications:

      • If your Push Notifications Contents option is set to Send full message snippet there is a chance Personal Health Information (PHI) contained in messages could be displayed on a user’s locked phone as a notification. To avoid this, set the option to Send generic description with user and channel names or Send generic description with only sender name.
      • Similarly, setting Email Notifications Contents to Send generic description with only sender name will only send the team name and name of the person who sent the message, with no information about channel name or message contents included in email notifications.
  • Beyond Technical Safeguards, HIPAA compliance deployments also require:

    • Administrative Safeguards
    • Physical Safeguards
    • Organizational requirements and other standards.

To learn more, please review HIPAA requirements from the US Department of Health and Human Services.