Compartment
Private pilot

Messaging on a need-to-know basis.

Compartment is an end-to-end encrypted messenger for small, high-trust teams — where a leak isn't an option. Built for government, diplomatic, legal, and security work.

Request access See how it works
End-to-end encrypted No custom cryptography Default-deny Minimal metadata

Why Compartment

Security that holds when everything else fails.

Every decision starts from "no." Confidentiality lives on your devices — not on a server you have to trust.

End-to-end encrypted by default

Built on MLS (RFC 9420) via OpenMLS. The server stores and relays ciphertext only — it can never read your messages.

Passwordless

Sign in with a device passkey and Face ID / Touch ID. There's no password to phish, reuse, or leak.

Need-to-know compartments

Every conversation is its own membership-scoped compartment. People see only what they're explicitly added to.

Individually trusted devices

Each device is separately keyed, admin-approved before it can talk, and revocable in real time.

Key transparency

A signed, append-only key log makes operator key-substitution detectable — verified on your device, not just promised.

Self-host or managed

One isolated VM per tenant. Run it on your own infrastructure, or let us host it — either way, only your devices hold the keys.

How it works

Invite-only by design.

No open sign-ups, no directory to scrape. People join one at a time, and every device is vouched for.

Get invited

An administrator sends a one-time, single-use invite over a channel you trust.

Create a passkey

Your device generates a hardware-bound passkey. No password is ever set.

Approved & messaging

An admin approves your device, and you're in your compartments — nothing more.

Built to contain a breach

Assume compromise. Limit the blast radius.

Security isn't a feature bolted on — it's the architecture.

  • Ciphertext only on the server. No message plaintext, ever — even with full server access.
  • Tamper-evident audit log. Every administrative action is hash-chained and verifiable.
  • Break-glass recovery. Regain owner access after a lockout — without a backdoor into messages.
  • Hardened by default. Sandboxed services, default-deny firewall, encrypted off-site backups.
  • No custom cryptography. Audited libraries only — OpenMLS, Ed25519, and platform secure enclaves.
  • This site has zero trackers. No analytics, no cookies, no third-party scripts. We practice what we ship.

Compartment is in private pilot.

Tell us about your team and what you need to protect. We onboard a small number of organizations at a time.

Request access