SemaFore Docs
Back to semafore.io

Compliance & Trust

Data Residency

Data Controller

Attomus Limited is the data controller for SemaFore under UK GDPR.

Organisation Details

  • Legal Name: Attomus Limited
  • Registered in: England and Wales
  • Company Number: 06517654
  • Address: 23 Berkeley Square, Mayfair, London W1J 6HE
  • Contact: hello@attomus.com
  • ICO Registration: ZA718457

Data Held and Storage

Message Content Message bodies are end-to-end encrypted on the device using the Signal Protocol (X3DH + Double Ratchet). Encryption occurs before transmission to the server. The SemaFore server holds only ciphertext; Attomus has no access to plaintext message content.

User and Device Data The SemaFore database stores:

  • Phone numbers and device identifiers (for registration and device trust)
  • Encrypted identity keys (Signal Protocol key material; decryption keys remain on-device)
  • Device metadata (device name, registration timestamp, approval status)

Data Hosting Location

All SemaFore datastores run on Attomus-owned and operated hardware located in the United Kingdom. SemaFore does not operate server infrastructure outside the UK. Where one or both users are outside the UK, encrypted message traffic may transit international networks to reach the relevant device, but SemaFore server infrastructure remains UK-based and under Attomus operational control. Attomus does not use third-party cloud providers (AWS, Azure, GCP, or similar) for data storage or processing. The datastore layer is maintained behind Attomus’s own network boundary and firewall.

This means all personal data processed by the SemaFore server remains in the UK and under Attomus’s direct operational control at all times.

External Processors (Delivery Layer Only)

SemaFore’s datastores are entirely Attomus-operated. The only external services used are for mobile push notification delivery — the technical mechanism by which a device is woken to retrieve and decrypt a waiting message. These providers do not receive message content.

ServiceRoleData Processed
Apple APNsPush notification delivery (iOS)Device push token; silent wake-up signal only — no message content
Google Firebase Cloud MessagingPush notification delivery (Android)Device push token; silent wake-up signal only — no message content
CloudflareEdge routing and DDoS protectionHTTP request metadata (IP address, request timestamp, HTTP status code); not linked to user identity in routine operation

Each provider operates under a Data Processing Agreement (DPA) as a processor under UK GDPR Article 28. Push notification payloads carry no message content — they signal the device to reconnect to the SemaFore server, where the encrypted message is retrieved and decrypted locally.

Privacy Policy and Data Rights

  • Privacy Policy: https://semafore.io/privacy
  • Data Subject Rights: Contact hello@attomus.com with subject line “Data Rights — SemaFore” to request access, rectification, erasure, restriction, portability, or objection. Attomus will respond within 30 days.
  • ICO Complaints: Users may lodge complaints with the Information Commissioner’s Office at ico.org.uk.