How we protect your data with encryption

When you trust tchop with your data, you expect it to stay private. Encryption makes sure that even if someone gains access to a storage device or intercepts a network connection, the data itself remains unreadable without the right keys.

As part of our ISO 27001 certified information security management system (ISMS), encryption is one of the core controls we apply across all layers of the platform.

Encryption at rest

All data stored on tchop servers is encrypted at rest. This applies to:

• Databases – full database encryption on both AWS and Hetzner hosting environments.

• Object storage – all files and media stored in S3 buckets are encrypted using server-side encryption (SSE).

• Block storage – Elastic Block Store (EBS) volumes on AWS are encrypted to protect data on disk.

• Mobile app storage – data stored locally on iOS and Android devices is encrypted at the app level, independent of the operating system's built-in encryption.

We use AES-256-GCM (Galois/Counter Mode) encryption on AWS, handled via AWS Key Management Service (KMS). This provides both confidentiality and data integrity verification. AES-256 is the industry standard for protecting sensitive data at rest.

Encryption in transit

All data moving between your users, the tchop apps, and our servers is encrypted in transit using TLS (Transport Layer Security).

• HTTPS everywhere – all API calls, web app traffic, and dashboard access are served over HTTPS with valid SSL certificates.

• Custom domains – when you set up a custom domain for your web app, we provision and manage SSL certificates automatically via Let's Encrypt.

• Mobile app communication – all traffic between native iOS and Android apps and the backend is encrypted via TLS.

• Push notifications – notification delivery uses the encrypted channels provided by Apple (APNs) and Google (FCM).

We actively monitor and renew SSL certificates across all client deployments to prevent any gaps in coverage.

Hosting and key management

tchop operates on a 100% cloud-based infrastructure with servers managed by AWS or Hetzner (clients can choose). For international clients our default option is AWS.

Encryption keys are managed by the hosting provider's key management services (AWS KMS or Hetzner equivalent), which means:

• Keys are stored separately from the encrypted data.

• Access to keys is restricted and audited.

• Key rotation follows the provider's security policies.

For organisations with strict data residency requirements, we offer EU-sovereign hosting on Hetzner, where all data and encryption keys stay within the EU.

What this means for your organisation

• Compliance – encryption at rest and in transit helps you meet GDPR, ISO 27001, and other regulatory requirements.

• Procurement – our encryption measures are documented and available for IT security reviews.

• User trust – your employees, members, or readers can use the app knowing their data is protected at every stage.

Summary

• All data is encrypted at rest using AES-256-GCM via AWS KMS across databases, file storage, and mobile devices.

• All data in transit is protected by TLS/HTTPS, including API traffic, web apps, and mobile apps.

• SSL certificates are provisioned and renewed automatically for all client deployments.

• Encryption key management is handled by certified cloud providers (AWS, Hetzner).

• All servers are located in Germany with optional EU-sovereign hosting.

• These measures are part of our ISO 27001 certified ISMS, audited by TÜV Süd.

Need help with a security questionnaire or IT review? Reach out to us at support@tchop.io.