GENuinely Secure Communications

GEN has for many years been a provider of secure communication services to businesses who understand how weak traditional communications actually are. SIP when using 'hosted' solutions is almost always sent in the clear and interception is childsplay. Messaging like WhatsApp and Signal, whilst once thought to be secure, clearly aren't anymore. Platforms like MS Teams, Zoom etc have again and again been shown to be weak and provide little or no protection.

Battle-Tested Architecture

GEN has a long heritage in high security, and employs this wealth of knowledge to create genuinely secure communication solutions for businesses, including ourselves. We do not merely sell these services; we rely on them daily for our own internal operations. This same battle-tested architecture is provided as a managed service to a wide selection of enterprise clients across the globe, from financial institutions to high-security consultancy firms.

All external computers (Laptops, Desktops, Mobiles, etc) join a zero trust WireGuard mesh. Once connected, communication services are loaded on top, those being:

Softphone SIP-TLS and SRTP
Matrix (Synapse) with E2E encryption
Secure internal data and management tunnels

This means that our internal communications are absolutely guaranteed to be secure, be that calls, email, messages, attachments, files, and services.

Why it Matters: The Uncomfortable Truth

At GEN, we believe that the confidentiality of our customers' data is paramount. We recognise that implementing "genuinely secure" systems introduces operational friction. It is certainly easier to use a public cloud messaging app or an unencrypted VoIP provider, but "easy" is rarely "secure."

The ubiquity of insecure communications does not legitimise them. Cloud telephony providers and consumer messaging platforms have invested billions in marketing to normalise practices that would have been considered reckless a generation ago. The argument that "everyone uses it" is not a security strategy—it is an abdication of responsibility. Organisations that rely on these platforms fall somewhere on a spectrum between unaware of the risks and consciously choosing convenience over security.

There is also an uncomfortable geopolitical dimension to consider. From a state-level perspective, the widespread adoption of clear-text signalling and weakly-encrypted voice communications presents a significant intelligence opportunity. When an entire business ecosystem routes its communications through centralised cloud infrastructure—with signalling often transmitted in the clear and encryption keys held by the service provider—the result is a surveillance-friendly architecture that benefits state actors, not the organisations using it. This is not conspiracy theory; it is the logical consequence of architectural decisions made by platforms whose business models depend on data access and metadata monetisation.

We deliberately choose the path of maximum protection, even when it presents operational challenges. This commitment ensures that sensitive client discussions, strategic planning, and proprietary data remain shielded from prying eyes. For our enterprise clients, this means total peace of mind, knowing that their communications are not being harvested, analysed, or intercepted by third parties, service providers, or state actors.

Notable Breaches

The landscape is littered with examples of why "standard" encryption is insufficient. We have seen:

Massive metadata harvesting from "secure" consumer messaging apps.
"Zoombombing" and the exposure of private meeting recordings.
Interception of unencrypted SIP traffic at the carrier level.
State-sponsored compromises of mainstream "enterprise" collaboration tools.

These breaches prove that unless you control the entire stack—from the network layer to the application layer—you are at risk.

Regulatory Frameworks and Obligations

Our commitment to security is not just a matter of principle; it is a core requirement of the regulatory environments in which we and our clients operate.

The GEN Framework Agreement

Under Section 5 of the GEN Framework Agreement, we are contractually obligated to maintain rigorous security standards. This section mandates that all communications and data handling must meet specific criteria for integrity and confidentiality, ensuring that every interaction within the GEN ecosystem is protected by default.

Statutory Obligations

Our architecture is designed to exceed the requirements of several key pieces of legislation:

GDPR & Data Protection Act 2018: These require "appropriate technical and organisational measures" to protect personal data. By using zero trust meshes and end-to-end encryption, we ensure that data in transit is never exposed.
Electronic Communications Act 2000: This provides the legal framework for the use of cryptography and electronic signatures. GEN leverages these legal protections to ensure that our secure communications are both robust and legally recognised.

By consolidating these requirements into a single, hardened communication fabric, GEN provides a service that is not only technically superior but also fully compliant with the most demanding global regulatory standards.

Exceeding Military-Grade Security Standards

Our double-encryption architecture—combining WireGuard at the network layer with application-layer encryption (SIP-TLS/SRTP and Matrix E2EE)—provides a level of cryptographic protection that exceeds established military and governmental security standards.

Cryptographic Strength

WireGuard employs ChaCha20 for symmetric encryption with Poly1305 for authentication, combined with Curve25519 for key exchange and BLAKE2s for hashing. This cryptographic suite is approved by the NSA for protecting Top Secret information under the Commercial National Security Algorithm Suite (CNSA) and its predecessor, NSA Suite B. The double-encryption approach means that even if one layer were theoretically compromised, the second layer maintains absolute confidentiality.

Military Standards Exceeded

NATO SDIP-27 (NATO Security Directive for Information Protection): Our zero-trust architecture exceeds the requirements for NATO RESTRICTED classification handling, providing cryptographic isolation that meets and exceeds NATO ACP-127 standards for secure communications.
FIPS 140-2/140-3 (Federal Information Processing Standards): While WireGuard itself is not FIPS-certified (a deliberate design choice to avoid legacy algorithm requirements), the cryptographic primitives it uses (ChaCha20-Poly1305) are approved for classified data under CNSA guidelines and provide equivalent or superior security.
Common Criteria (ISO/IEC 15408) EAL4+: Our layered security model provides assurance levels comparable to EAL4+ evaluated products, with the added benefit of open-source cryptographic implementations that have undergone extensive public scrutiny.
DISA STIGs (Defense Information Systems Agency Security Technical Implementation Guides): Our implementation follows and exceeds STIG requirements for network encryption and zero-trust architecture.

European Security Standards Exceeded

EN 419221-5 (European Standard for Cryptographic Modules): Our implementation exceeds the security requirements defined in this European equivalent to FIPS 140-2, providing Security Level 3 equivalent protection through our double-encryption approach.
ETSI EN 319 411 (Electronic Signatures and Trust Services): Our cryptographic implementations meet the stringent requirements for qualified trust service providers under the eIDAS regulation.
BSI TR-02102 (German Federal Office for Information Security): Our use of ChaCha20-Poly1305 and Curve25519 aligns with BSI's recommendations for future-proof cryptographic algorithms, exceeding minimum requirements.
ANSSI (French National Cybersecurity Agency) Guidelines: Our architecture meets ANSSI's "Qualification de niveau standard" requirements and approaches "Qualification de niveau renforcé" through our defence-in-depth approach.
NCSC (UK National Cyber Security Centre) Cloud Security Principles: Our zero-trust mesh architecture exceeds all 14 NCSC Cloud Security Principles, providing cryptographic isolation that NCSC recommends for "OFFICIAL-SENSITIVE" and higher classification data.
ISO/IEC 27001:2022 & ISO/IEC 27002:2022: Our implementation addresses all relevant cryptographic controls (A.8.24) and communications security controls (A.8.20-A.8.22) with implementation levels exceeding standard compliance requirements.

Why Double Encryption Matters

The principle of defence in depth dictates that no single security control should be relied upon exclusively. By encrypting at both the network layer (WireGuard) and the application layer (TLS/SRTP/E2EE), we ensure that:

A vulnerability in one protocol cannot compromise the entire communication.
Key material is independent at each layer, preventing cross-layer attacks.
Metadata is protected at the network layer, whilst content remains encrypted end-to-end.
Even a compromised network infrastructure node cannot decrypt application-layer traffic.

This approach provides quantum-resistant characteristics through algorithm agility—if one cryptographic primitive is compromised, the second layer maintains protection whilst migration occurs. This forward-looking design ensures that communications remain secure even as the cryptographic landscape evolves.

Getting Started

If your organisation handles sensitive communications—whether that's client data, strategic planning, or proprietary information—then genuinely secure communications should be a priority. Our team can assess your current setup, identify vulnerabilities, and implement a solution that meets your security requirements without unnecessary operational overhead.

Contact our team to discuss how GEN's secure communications platform can protect your business.