[jeffbee]

Thanks for the downvotes folks, confirming my experience that this forum is incapable of engaging in a rational discussion of privacy and information security, and its members operate from a nonsense threat model. By far the biggest risk to most people's personal privacy is that someone will access their email. The easiest way to do it is to be on the staff of the email company, or to infiltrate their systems. HEY's own marketing materials state that they do not encrypt their data at rest, so I want to know what protects my data from the guy who is the HEY database administrator, or the low-paid datacenter tech who swaps out the broken disks.

[Axsuul]

You're getting downvoted probably because of your assumption that a vanilla tech stack is somehow absent of security best practices. Ruby on Rails "vanilla" is a well maintained server-side framework that receives constant security hotfixes. AWS is a cloud platform that supports robust IAM and VPC networks. It's more likely that a tried and true tech stack like this is more secure than something experimental.

[julianeon]

HEY's security page lists encryption-at-rest.

https://hey.com/security/

[jeffbee]

Interesting because this page specifically disclaims it:

https://hey.com/policies/security/

"Our application databases are generally not encrypted at rest."

Particularly interesting would be a discussion of how they can index content with Elastic while preventing system operators from accessing that index, and with strong auditing of any such access.