Security & private deployment

Self-hosting means data, keys, and access policy stay under your control. imcore's security rests on real features, not compliance badges.

Data sovereignty

Self-hosted: messages, user data, and keys stay on your own servers / VPC and never pass through a third party.

Transport & auth

WSS / TLS encrypted transport; JWT-authenticated connections; WebSocket Origin allowlist; API rate limiting; SSRF protection on outbound webhooks.

Access control & audit

Role-based permissions (RBAC) in the admin console; every admin action is written to an audit log.

Content safety

Built-in content moderation and sensitive-word filtering.

Deployment & observability

Intranet / offline deployment supported; Prometheus metrics (/metrics) and health checks (/healthz) plug into your monitoring.

Compliance stance

We don't ship pre-baked third-party certification badges. Self-hosting lets you run inside your own compliance boundary — your data, your keys, your audit and access policy.