Security Overview

Security in Mattermost software is continually reviewed by developers, IT administrators and security researchers accountable for deploying the software in their organizations.

Multiple rounds of penetration testing and security analysis, in addition to internal reviews, have produced a long list of safeguards, processes, policies, and compliance features, please see:

To expand on each:

Security Features

Mattermost offers a host of features to help keep your private cloud communications secure.

Private Cloud Deployment with Secure Mobile Apps

Centralized Security and Administration

Transmission Security

  • Mattermost supports TLS encryption using AES-256 with 2048-bit RSA on all data transmissions between Mattermost client applications and the Mattermost server across both LAN and internet.
  • Connections to Active Directory/LDAP can be optionally secured with TLS or stunnel (E10).
  • Encryption-at-rest is available for messages via hardware and software disk encryption solutions applied to the Mattermost database, which resides on its own server within your infrastructure. To enable end user search and compliance reporting of message histories, Mattermost does not offer encryption within the database.
  • Encryption-at-rest is available for files stored via hardware and software disk encryption solutions applied to the server used for local storage or storage via Minio.
  • Encryption-at-rest is available for files stored in Amazon’s proprietary S3 system using server-side encryption with Amazon S3-managed keys (E20) when users choose not to use open source options.
  • Option to exclude message contents from push notifications to comply with strict compliance policies, such as US HIPAA standards.
  • Ability to exclude or include the contents of messages in push notifications to avoid disclosure on locked mobile screens, and via relay servers from Apple and Google when sending notifications to iOS or Android mobile apps (relevant to compliance standards such as HIPAA)

Integrity and Audit Controls

  • By default, Mattermost stores a complete history of messages, including edits and deletes, along with all files uploaded. User interface actions for “deleting” messages and channels remove the data only from the user interface; the data is retained within your database. If your compliance guidelines require it, you can turn off users’ ability to edit and delete their messages after they are posted.
  • Use an antivirus plugin to scan for viruses before uploading a file to Mattermost. Supports ClamAV anti-virus software across browser, Desktop App and Mobile Apps.
  • Custom data retention policies on messages and file uploads is available (E20). A daily data deletion job can be scheduled that deletes messages from the database and user interface, and file uploads from local file storage or Amazon S3, which exceed the specified retention period.
  • The output and archives of server logs can be saved to a directory of your choice. Mattermost server logs plus logs from your web proxy can provide an end-to-end history of system usage.
  • Ad hoc compliance reports of messaging by user, date range, and keyword, including edited and deleted messages are available (E20). To protect against unauthorized use, all ad hoc report requests are logged.
  • Daily compliance reports compatible with 3rd party compliance solutions such as Global Relay and Actiance are also available (E20).

Authentication Safeguards

Access Control Policy

Security Updates

Security updates address newly discovered attacks reported to Mattermost, Inc. by the security research community. Disclosures are made confidentially, under the Mattermost responsible disclosure policy, allowing for Mattermost, Inc. to provide security updates to the community prior to public disclosure.

For more information, please see:

Security Policies

For information on internal security policies, development guidelines, business continuity plans and common security-related questions from enterprises, please see our Security Policies documentation.

Moreover, Mattermost performs a penetration test on the software no less than once per twelve (12) month period. Customer may request a copy of any penetration test results upon five (5) day written notice at any time, but no more than once per twelve (12) month period.

HIPAA compliance

Deploying Mattermost as part of a HIPAA-compliant IT infrastructure requires a deployment team trained on HIPAA-compliance requirements and standards.

  • Mattermost offers HIPAA-relevant Technical Safeguards including:

  • HIPAA-compliant deployments commonly consider the following:

    • Omitting the contents of messages from mobile push and email notifications:

      • If your Push Notifications Contents option is set to Send full message snippet there is a chance Personal Health Information (PHI) contained in messages could be displayed on a user’s locked phone as a notification. To avoid this, set the option to Send generic description with user and channel names or Send generic description with only sender name.
      • Similarly, setting Email Notifications Contents to Send generic description with only sender name will only send the team name and name of the person who sent the message, with no information about channel name or message contents included in email notifications.
  • Beyond Technical Safeguards, HIPAA compliance deployments also require:

    • Administrative Safeguards
    • Physical Safeguards
    • Organizational requirements and other standards.

To learn more, please review HIPAA requirements from the US Department of Health and Human Services.

FINRA compliance

Mattermost Enterprise Edition E20 is designed to meet the cybersecurity requirements of the United States Financial Industry Regulatory Authority (FINRA) as part of a customer’s existing operational systems, including technology governance, system change management, risk assessments, technical controls, incident response, vendor management, data loss prevention, and staff training.

FINRA reviews a firm’s ability to protect the confidentiality, integrity and availability of sensitive customer information. This includes reviewing each firm’s compliance with SEC regulations, including:

Mattermost supports FINRA compliance as part of a customer’s integrated operations in the following ways:

  • Continous archiving - Configuration as a non-rewriteable, non-erasable system of record for all messages and files entered into the system. Moreover, automated compliance exports and integration support for Smarsh/Actiance and Global Relay provide 3rd party eDiscovery options.
  • Secure deployment - Deployment within private, public and on-premesis networks with existing FINRA-compliant safeguards and infrastructure to protect customer information from cyber attack.
  • Support for intrusion detection - Ability to support multi-layered intrusion detection from authentication systems to application servers to database access, including configuration of proxy, application and database logging to deeply audit system interactions.
  • Multi-layered disaster recovery - High availability configuration, automated data back up and enterprise information archiving integration to prevent data loss and recover from disaster.