Questions from Security team

Hi Dmitry - the basic information about HipChat security can be found at https://confluence.atlassian.com/hipchatkb/security-of-hipchat-755337914.html. To some of your questions in particular:

1. All communication between the client and server is sent and received encrypted over https (TLS in the older versions of the clients)
2. Chat history is not stored on the client. On the server, it's stored unencrypted to support searching.
3. Users can view their own client connections at hipchat.com/account/sessions. There is not currently any support for admin-level viewing of other users client connections
4. Like above, users can disconnect sessions at the given URL. No admin-level support for performing this on other users.
5. We don't restrict any devices from connecting to HipChat, but all connections must be over a secure channel (TLS/SSL). This includes 3rd party XMPP clients as well as all HipChat-built ones.
6. I'm not sure exactly what you mean by domain authentication. We confirm emails as a general process of security, but don't restrict them to certain domains based on the account they're accessing.
7. 2FA isn't something we currently have, but certainly something we hope to add in the future (along with SAML-based authentication, which often comes with its own 2FA support)
8. Assuming clients are installed by a non-admin user, they can also be updated by the non-admin user without requiring escalated privileges. If you are being prompted to enter administrator credentials when updating, it's likely that the app was initially installed by an administrator account.