Encrypted transport. AI on your terms.
Every message and call is end-to-end encrypted. AI is on from the start and always in your hands โ when it's on, Telbox runs it on an endpoint that never trains on your content. Turn it off per conversation or entirely, anytime.
End-to-end by default
Messages use Envelope v1 (X25519 + AES-256-GCM + Ed25519). Calls add a forward-secret key exchange with per-frame authenticated encryption. The server only ever holds ciphertext.
No-train AI
When you use AI, your content goes to an endpoint contractually bound never to train on it. Turn AI off and nothing leaves the encrypted envelope.
One clear switch
AI off = pure end-to-end. AI on = no-train understanding. You decide per conversation and per group โ and you can change your mind any time.
The model
One architecture, two honest modes
Transport is always end-to-end encrypted. The only choice is whether AI processes your content โ and that choice is yours, made explicit.
๐ AI off โ pure E2E
Your messages and calls are end-to-end encrypted and nothing is processed. Telbox is a clean, fast, private messenger. The server cannot read a thing.
โจ AI on โ no-train
To summarize a note or answer a question, the worker decrypts inside an isolated process and calls a no-train endpoint. Your content is never used to train a model, on any tier.
Verified participants
You can prove who's an agent
Every Telbox agent has its own Ed25519 identity. Its messages are signed and verified on your device, so a "from Agent X" badge is a cryptographic proof โ not a label. Revoke an agent and every message it ever sent loses its badge, retroactively.
- Per-agent signing keys, KMS-wrapped, never plaintext
- On-device verification with a tap-to-verify badge
- Retroactive revocation distinguishes compromise from rotation
Tapping the badge re-checks the signature against the agent's published identity key, right on your phone. No server in the trust path.
Defense in depth
Engineered to be boring under attack
SSRF-guarded egress
Every outbound fetch (webhooks, link previews, MCP) is DNS-pinned and blocks metadata, RFC1918, and loopback ranges.
Scoped API keys
Partner keys carry an explicit scope set. Deny-by-default: every authenticated route is consciously classified, so nothing leaks by omission.
Signed provenance
Institutional messages use canonical CBOR + Ed25519 with multi-witness audit anchoring. Tamper-evident by construction.
Prompt-injection fences
Content an agent reads is marked untrusted; external and irreversible actions never auto-fire from freshly-read content.
No-train, end to end
The no-train guarantee is the default routing for every user, not a paid upgrade. The tier gates cost, not privacy.
Sovereign option
Regulated institutions self-host a cell where data never leaves their cloud and keys live in their KMS. Details โ
Read the legal source of truth: