PART 08 · THE DIFFERENCE
Us & the category

It comes down to shape.

Almost every product in this category does the same thing with your messages: it copies them into the vendor's own cloud. We do the opposite. The records rest in your tenant, and we keep no lasting copy of them. Two shapes. One of them has a central pot. One of them doesn't.

The usual shape

The vendor-cloud archive

Your conversations are copied off to the supplier's servers and pooled with everyone else's. One platform, one login, one place where every customer's messages sit together. It is convenient to build, and convenient to attack: one store, holding the lot, with a single door. The whole field was shaped this way because it was built for the largest, most heavily regulated buyers.

One vault · everyone's messages in it
Our shape

Your own tenant

Your records live in your own Microsoft 365, governed by your own retention, your own holds, your own eDiscovery. We keep no lasting copy of the record – what reaches us is bookkeeping. There is no shared pot – so there is nothing pooled to lose. To take a hundred organisations' archives, an attacker would have to breach a hundred organisations, one at a time. Of every purpose-built rival we surveyed, not one keeps the record in the customer's own tenant. This is the thing only we do.

A hundred tenants · no shared store
26/ 34
vendors we surveyed won't publish a price. We publish ours in full, on this page.
25/ 34
hold your messages in their own cloud. We keep none of yours – the only archived copy lives in your own tenant.
1at a time
is how many organisations an attacker can reach when there is no shared store to empty.
The honest trade

Here is what we are not. The big suites capture fifty, a hundred, more channels – email, voice, social, the lot – and if you must archive all of that in one place, that is what they are for. We are deliberately narrower: WhatsApp and Teams, done properly, on a number branded in your name, in a tenant you already have. That is the right size for a charity or a care provider, and the wrong size for a bank. We would rather do two channels in a shape we can stand behind than fifty in a shape that has already been breached once. The full account of why – the breach that taught the category this lesson – is in Security, further down. Here, the point is only the shape.

PART 10 · SECURITY
Security & data protection

The safest archive is the one we never hold.

Start with the part no certificate can grant: we cannot read your messages. Not won't – can't. They reach your own Microsoft 365 through WhatsApp’s business platform and our capture and relay, and the lasting record rests inside your organisation's own Microsoft cloud, not on ours. What reaches us is bookkeeping – which plan, how many numbers, whether everything is running. There is nothing of yours for us to breach. The rest is below, and where we're still earning a certificate, we say so.

01 · Custody

We can't read a word

No copy of any conversation ever exists with us – not for support, not for backup, not at all. Ask any vendor what a breach at their end would spill. Our honest answer: your name, your invoice and a green light.

02 · Standards

Designed to ISO 27001

Information security mapped to ISO 27001:2022 controls from day one; independent certification is on the roadmap, and until it's earned we'll keep saying so plainly. A certificate attests to how carefully a vendor guards what it holds – our first control was to hold no messages at all.

03 · Government

Cyber Essentials path

Targeting certification under the UK NCSC scheme. Increasingly expected by funders and public sector partners.

04 · Residency

UK data residency

Your archive lives in your own UK-based Microsoft 365; messages reach it via WhatsApp's business service and land in Microsoft's UK data centres. Every third party we rely on – Microsoft, WhatsApp, Stripe for billing – is named in our published sub-processor list.

05 · Privacy

GDPR by design

The data protection paperwork – impact assessment, records of processing, lawful-basis analysis – arrives drafted for your circumstances, ready for your data protection lead to adapt and sign. We do the writing; you do the owning, because only you can.

06 · Transparency

Disclosed capture only

No covert monitoring. Members are in an organisation-owned group and told it is governed. Lawful and ethical by default.

Why we built it this way · May 2025

In May 2025, one of the best-known names in message archiving was breached. The service ran modified versions of WhatsApp and Signal, and kept a readable copy of every client's messages on its own servers – senior US government officials' and major financial firms' alike, all in one place. The intruder reportedly needed less than half an hour. Message content was stolen, the flaw entered the US government's catalogue of actively exploited vulnerabilities, and the service was suspended.

We take no pleasure in the story – the people involved were working on the same problem we are. We retell it because the lesson is not about one company's carelessness; it is about shape. A vendor that holds everyone's archive has assembled a single, well-signposted prize. That breach wasn't bad luck. It was geometry.

So we built the opposite shape. Your messages travel through WhatsApp's official business service – no modified apps, nothing bolted on – into your own Microsoft 365, the only place a lasting record of them is kept. We keep no copy. Our own systems see what an invoice sees: tier, numbers, service health – never a word of a conversation. An attacker who wanted a hundred organisations' archives would have to breach a hundred organisations, one set of defences at a time. There is no pot of messages at our end, so there is no pot to steal.

Names, dates and sources available on the call – we'd rather argue architecture than point fingers.
PART 09 · READ BEFORE BUYING ANYTHING
Read this before buying anything in this category

What we won't promise. And nobody honest can.

We won't · 01

Read personal phones.

Nobody can, lawfully. A vendor who says otherwise is selling you a data breach with a dashboard. Governance starts where ownership starts: on a number the charity controls.

We won't · 02

Absorb your existing groups.

WhatsApp lets nobody – including us – join groups that already exist. We migrate you forward instead, with the rollout plan, invites and policy templates to make the switch stick.

We won't · 03

Monitor anyone covertly.

Every governed group is disclosed to its members, with the wording supplied by us. Disclosure is what makes the archive usable as evidence and your position defensible.

We won't · 04

Claim "zero knowledge".

Some vendors promise that nobody – not even you – could ever read the archive. An archive nobody can read cannot answer a Subject Access Request: governance and zero knowledge are mutually exclusive. Yours lives in your own Microsoft 365, readable by the people you authorise – and we say out loud what that does and doesn't mean.

We won't · 05

Keep a copy of your messages.

Not for backup, not for convenience, not "encrypted on our side". A vendor holding every client's archive has built one well-signposted vault – and an archive of exactly that shape was breached by hackers in May 2025. Yours exists in your own Microsoft 365, behind your own locks – and no copy with us.

If another vendor promises any of the above, ask them to put it in the contract. Ours is in writing, in the founding offer above.
The Founding Ten · places open

Find out where you stand before someone asks.

Thirty minutes with our team. Bring your messiest scenario – the group nobody admits to, the leaver with two years of messages – and leave with a one-page, board-ready summary of your WhatsApp exposure, plus a straight answer on whether we're the fit. Even if that answer is no.

Book the risk audit Just send the trustee briefing

The briefing: one page on WhatsApp exposure, written for boards. No follow-up unless you ask for one.