CongoSky · Khuluma Tenant 0 · closed beta

Private messaging & neighbourhood safety

Speak up. Stay safe.

Khuluma is how people message each other privately and how neighbours warn each other about danger nearby — built so the privacy comes from the architecture, not from a promise.

Khuluma · isiZulu: “to speak.” Built for safety, under fire.

Community hands gathered around a phone showing a neighbourhood safety alert, warm sunset glow on a dark background

What Khuluma is

Khuluma started as a way for neighbours to warn each other about danger, and grew into a private messaging platform with that safety channel built in. Two things people need that are really one: a way to speak to each other, and a way to be warned in time — both fast, both local, both trusted.

  • Private messaging Talk to the people you choose. Built on standard, vetted encryption — never anything we rolled ourselves.
  • Area alerts See what neighbours are reporting in the place you actually live.
  • Corroborate warnings Add your voice when you have seen the same thing. Signal over noise.
  • Invite-only areas Join through someone who vouches for you. Safety starts with who is in the room.
  • SMS opt-in Get critical alerts by text when you are not staring at a screen.
  • Works offline-first Made for prepaid data and a five-year-old phone, not just a new one on fast wifi.
  • Rides any radio (BadgerNet) Alerts compress so small they fit a 12-byte Sigfox frame or a USSD string — so a danger warning reaches a feature phone with no data plan at all, over LoRa, Sigfox, or *123#. see it live →

Overkill, on purpose

Khuluma is built for people under real threat, so its privacy is a property of the architecture, not a line in a policy. The posture, plainly:

  • FOSS-first. Open, auditable foundations over closed black boxes you have to take on faith.
  • No custom crypto. Encryption, key exchange, signatures — only the standard, peer-reviewed building blocks. We never invent our own.
  • Your device, your lock. App lock uses your phone's own biometrics. No face data ever reaches our servers. We never run our own camera face-scan.
  • Metadata-hostile. We hold the least we can while still warning you in time. The safest record is the one we never keep.
  • No "secure it later." Privacy is a release gate from day one, not a backlog item.

Privacy from architecture, not promises — umuntu ngumuntu ngabantu.

How it works

  1. Get an invite A steward or neighbour sends you in. No open sign-up on a map. Trust is deliberate.
  2. Join your area Pick the neighbourhood you belong to and follow it. One feed, one place.
  3. Post and follow alerts Members can post warnings. Everyone can read, corroborate, and stay ahead of danger.

Coming soon to your pocket

Khuluma is in closed beta on CongoSky. App store links and a public waitlist open when we are ready for the next wave.

Running on CongoSky, the sovereign cloud for Africa. Back to congosky.cloud

Technology, privacy, and security

Khuluma is built for people under real physical threat. The architecture is deliberately small: fast local alerts, a trust graph instead of an ID database, and the least sensitive data we can hold while still warning neighbours in time.

What runs underneath

CongoSky (Tenant 0) Khuluma is the first product on CongoSky: one tenant namespace on shared infrastructure, isolated by account and database scoping, not by selling your data.
API and app backend A relay backend handles sign-in, areas, alerts, corroboration, message delivery, and SMS fan-out. Private messaging is designed end-to-end encrypted from the start, so the relay carries messages it cannot read; the safety-alert channel is live first.
Auth0 (identity) Standard OIDC/OAuth2 login. You authenticate with a provider we trust; we hold session tokens, not passwords. Real names are not required to use Khuluma.
Neon (Postgres) Membership tier, vouch graph, area follows, alerts, and corroboration counts. Row-scoped per tenant. Alerts expire automatically so stale warnings drop off.
SMS delivery Optional text alerts ride a provider-agnostic seam (console in dev, production SMS gateway when enabled). Posting an alert never fails because SMS hiccuped; texts are best-effort on top of in-app reading.
This page Static HTML on Cloudflare Pages at congosky.cloud. No trackers on this landing page beyond what your browser sends to load fonts. Product analytics elsewhere use privacy-first Plausible where enabled.

What we store (and what we refuse to)

  • Stored: your account id, membership tier, who vouched for whom, which coarse areas you follow (by name, e.g. a ward or suburb), alert text, category, timestamp, optional landmark string you type, corroboration counts, and an SMS number only if you opt in.
  • Not stored (readable by us): passport or national ID images, home address, precise GPS tied to you, the contents of your private messages (end-to-end encrypted — the relay only ferries ciphertext it cannot open), or a public map of “foreigners here.”
  • Design rule: if a server breach would make a leak more dangerous to a real person, that data does not ship. The safest record is the one we never keep.

How PII is protected

  • Phones are optional and controlled. SMS is opt-in. You can register a number for critical texts or use the app only. STOP/opt-out is honoured per number. Numbers are normalised to E.164 and used only for alert fan-out, not marketing.
  • Logs minimise exposure. Operational logs use opaque user labels, not raw phone numbers in free text. SMS attempts are audited in a dedicated log for abuse forensics and deduplication, not for profiling.
  • Deletion and anonymisation. You can purge your account. Past alerts you posted are anonymised (poster removed) so corroboration counts stay honest; your vouches are dropped.
  • AI boundary (platform-wide). CongoSky classifies and redacts personal data before it enters model context, and re-checks generated output before persistence. Khuluma v0 keeps almost no sensitive fields, so the PII surface stays small by design.

Security controls

  • Web of trust, not an ID gate. Invite-only areas. Provisional members read; full members post and vouch. Two independent vouches are required before you can warn an area or bring someone else in. Vouches are attributable and revocable.
  • Coarse areas only. Alerts name a neighbourhood you joined, not your bed. Optional landmark text is what you type, not device GPS.
  • Anti-abuse on broadcast. Only full members post. Per-poster rate caps per area limit blast spam if an account is compromised. Corroboration makes lone fakes visible.
  • HTTPS everywhere. API traffic is TLS-terminated at the edge. Session tokens are short-lived industry-standard JWTs. Provider contracts (Auth0, Neon, Render, SMS) are swappable without rewriting the product.

Closed beta. Specifications and threat model are maintained in the CongoSky/Yama engineering docs. Questions: [email protected].