Conduits Docs

Security

How Conduits protects your Telegram credentials and conversation data.

Encryption at Rest

All sensitive data is encrypted using AES-256-GCM before being stored in the database:

  • Telegram session strings — Encrypted per-user with HKDF-derived keys
  • HubSpot OAuth tokens — Encrypted per-user with HKDF-derived keys

Key derivation uses HKDF (HMAC-based Key Derivation Function) with SHA-256. Each user gets a unique encryption key derived from the master key and their user ID. Compromising one user's key does not compromise others.

Message Handling

Conduits follows a fetch-summarize-discard model:

  1. Messages are fetched from Telegram during the sync window.
  2. Messages are sent to Claude AI for summarization.
  3. The AI-generated summary is stored; raw message text is not persisted in our database.

The only thing stored permanently is the structured summary (what appears in HubSpot notes) and metadata (message count, date range, message IDs for incremental sync).

Secret Chats

Telegram Secret Chats use end-to-end encryption and exist only on the devices of the two participants. They are architecturally inaccessible via MTProto. Conduits cannot see, read, or sync Secret Chats.

Session Management

Your Telegram session is equivalent to being logged into Telegram on another device. You can see and revoke it anytime:

  1. Open Telegram
  2. Go to Settings → Devices → Active Sessions
  3. Find the Conduits session and terminate it

Infrastructure

  • Database: PostgreSQL with encrypted columns for sensitive data
  • Transport: All API calls use HTTPS/TLS 1.3
  • Hosting: Deployed on SOC 2 compliant infrastructure
  • Access: No Conduits employee can read your messages — they're processed in-memory and not logged

Compliance

Conduits reads your own conversations from your own Telegram account. This is analogous to email clients (Spark, Superhuman) that use IMAP to access your inbox. You are accessing your own data.

We recommend informing your contacts that you use Conduits, consistent with your organization's communication policies.

Reporting Security Issues

If you discover a security vulnerability, please email security@conduit.so. We take all reports seriously and will respond within 24 hours.

Plans & Billing

Pricing, payment, and how to manage your subscription.

Troubleshooting

Common issues and how to resolve them.

On this page

Encryption at RestMessage HandlingSecret ChatsSession ManagementInfrastructureComplianceReporting Security Issues