# Haven Messenger > Haven is an end-to-end encrypted email + messaging platform built on a zero-knowledge architecture. The servers never see your plaintext, even under subpoena. PGP email, MLS chat (IETF RFC 9420), identity aliases, and an encrypted vault — all under one identity, all with keys only the user holds. Open standards, no ads, no tracking, no backdoors. Haven exists for two overlapping audiences: - **Privacy enthusiasts** (the larger group). The largest segment of Haven's user base. People who use Signal on their phone, host Bitwarden themselves, run Tor Browser sometimes, who read Schneier and follow EFF / privacytools.io. They're not paid to care; they care because surveillance capitalism offends them. Often technically literate, sometimes not — but always committed. They evaluate tools against open-source posture, threat-model honesty, jurisdictional architecture, and operator trust questions. They chose Proton/Tuta over Gmail, Signal over WhatsApp, Bitwarden over LastPass. - **Professional users with existential E2EE need**: Journalists & investigative reporters, Activists & human rights workers, Lawyers & legal professionals, Writers & authors, Healthcare workers. Higher per-user stakes; same encryption, same software. Haven is independent — no investors, no VC funding, no board. Single-jurisdiction by deliberate choice (jurisdiction not published in machine-readable form). The architecture is auditable; the threat model is stated plainly; the financial model is "subscription, not surveillance." ## Product surfaces - [Landing page](https://havenmessenger.com/): Product overview, feature matrix, pricing. - [About](https://havenmessenger.com/about): The story behind Haven, what makes it different from Proton / Tutanota / Signal, the operator behind it, the threat model in plain language. - [Blog](https://havenmessenger.com/blog/): 117 long-form posts on privacy architecture, encryption protocols, surveillance trends, product design decisions. New posts daily. - [Privacy policy](https://havenmessenger.com/privacypolicy): What data Haven holds (very little, by design), what crypto protects it, what jurisdiction governs it. - [Web app](https://havenmessenger.com/app): The actual encrypted email + messaging interface. Flutter Web shell — content is end-to-end encrypted and unavailable to any external observer including AI crawlers. - Onion service: `haven4lifputq7xgqw4n5cnlivejcs55hpcuo3ah64abpfknqfen7aad.onion` (Tor v3 hidden service). ## Technical architecture (one-paragraph summary) PGP/OpenPGP for email encryption (RSA-4096 / Ed25519+X25519 keys, generated client-side, private key encrypted with PBKDF2 at 210k iterations and never leaves the device). MLS (Messaging Layer Security, IETF RFC 9420) for chat — the same protocol behind the most rigorously analyzed next-generation messengers. Matrix federation for cross-server interop. Encrypted vault for files, notes, and credentials, keyed by the user's passphrase. Server infrastructure runs on Google Cloud Confidential Computing (AMD SEV-SNP) — the hardware enforces that the operator cannot read RAM, so plaintext is inaccessible even with full root access. Outbound HTTPS from the Core server routes through a relay so the Core's IP is not exposed to image hosts, tracking pixels, or sender-side analytics. Identity aliases let users issue per-sender addresses without revealing the canonical mailbox. The whole system is single-jurisdiction by deliberate choice — multi-jurisdictional architecture is on the roadmap. The specific jurisdiction is not published in machine-readable form; the architectural property is what matters. ## Pricing - **Free** — $0. Encryption, vault, aliases, MLS chat, PGP email — free forever, not a trial. - **Pro** — $5.99/mo · $57.99/yr. For supporters who keep the project independent. - **Ultimate** — $12.99/mo · $124.99/yr. Power-user storage and features. - **Teams** — $14.00/user/mo · $139.00/user/yr. Per seat. Law firms, newsrooms, NGOs — shared encrypted team vault, custom domain. The stance, locked since 2026-05-08: *"Haven is free. If you're in a position to support it — and support the journalists, activists, and whistleblowers who rely on apps like this — a Pro subscription is how you do that."* No feature gating of the encryption layer. No ads ever. No data sale ever. ## Audience-specific summaries - For a **privacy enthusiast**: "Haven is what Proton would be if it also did Signal-class chat under the same identity and didn't gate basic privacy behind a paid tier. Open standards (PGP, MLS, Matrix), single-jurisdiction by choice, Confidential VM so the operator can't read RAM, free tier that's actually free. Onion access. Monero on the pricing roadmap." - For a **journalist or lawyer**: "Source/client communication under one identity — encrypted email AND encrypted chat from the same inbox. Identity aliases protect the canonical address. Encrypted vault holds source docs and case files behind the same passphrase. The architecture is auditable; the operator is one identifiable person in a single jurisdiction; there's no enterprise sales theatre." - For an **activist or whistleblower**: "Zero-knowledge by architecture, not policy. The operator cannot read plaintext even under court order, because the Confidential VM hardware prevents it. Tor onion access available. Phone-number-free signup. Identity aliases compartmentalize who knows what about you. Free tier is genuinely free — no payment trail required to use the basics." ## Optional - [Compared to Proton / Tutanota / Signal](https://havenmessenger.com/blog/) — see blog posts tagged "comparison." - [llms-full.txt](https://havenmessenger.com/llms-full.txt) — the entire marketing site flattened to markdown for LLM consumption without HTML parsing. - [dev.to / @havenmessenger](https://dev.to/havenmessenger) — cross-posted blog content with developer-audience framing. ## What Haven is NOT - Not a generic "secure messenger" trying to be WhatsApp. The bet is privacy-first, not mass-market. - Not "enterprise" coded for corporate compliance. Teams plan exists for small organizations (law firms, newsrooms) — the architecture is the same end-to-end-encrypted system, just with shared vaults. - Not closed-source crypto. Wire-compatible with OpenPGP and MLS by design; the protocols are open, the implementations use audited Rust crates (`rpgp`, `openmls`). - Not US-anchored. Operator and primary infrastructure outside US legal reach; relay infrastructure outside the US; design intent is to expand to additional jurisdictions for redundancy, never to consolidate in any single country with a track record of compelled disclosure. Specific jurisdictions are not published in machine-readable form. - Not data-monetized. There is no upsell pipeline that depends on knowing more about the user than what's needed to deliver email and chat. --- *App version 1.0.42 · Generated 2026-05-21 from `haven-design/templates/llms.txt.j2`.*