The Audits, the Investors, and the Warrant Canary
A privacy network is not made private by code alone. It is made private by who controls the code, who funds the controllers, and what the code does when a court asks.
Key Takeaways
- SimpleX Chat Ltd. is a UK-registered company founded by Evgeny Poberezkin. Full-time development began in 2021.
- The codebase has been audited twice by Trail of Bits: implementation review (October 2022) and cryptographic protocol review (July 2024).
- Two pre-seed funding rounds — Village Global (~$370K, July 2022) and Jack Dorsey + Asymmetric Capital Partners ($1.3M, August 2024) — both explicitly carried no board seat and no control provisions.
- The company is publicly committed to migrating to open-source non-profit governance, modeled on Matrix, with OSS legal expert Heather Meeker engaged (announced August 2024).
- The 2025 transparency disclosure (revised 2026-02-09) records 12 law-enforcement requests received, 0 records produced — the behavioral signature of the architecture.
---
Privacy is a systems property. It does not survive the death of its engineers, the pivot of its board, or the quiet acquisition of its parent. A protocol is only as durable as the organization behind it, and the organization is only as honest as the structure that constrains it. This chapter is about SimpleX Chat Ltd. — the people, the money, the audits, and the number that ties all three together.
The company, briefly
SimpleX Chat Ltd. is a UK-registered company (docs/TRANSPARENCY.md). The founder and CEO is Evgeny Poberezkin, who previously led engineering at Wagestream (a UK earned-wage-access startup). Full-time work on SimpleX began in 2021, building on a Haskell core that has been in the repository since before commercialization. The codebase is licensed AGPLv3 with the protocols in the public domain — meaning anyone can reimplement the protocol or fork the server. The branding (logo, name, app store assets) is held separately under trademark terms (docs/TRADEMARK.md).
The team is small by industry standards but unusually technical — Haskell core, Swift/iOS, Kotlin/Android, TypeScript SDK, plus dedicated infrastructure and protocol engineers. Two new engineers were added in the 2024 funding round.
The audit trail
Two external security engagements are on the public record:
| Date | Auditor | Scope | Outcome | |------|---------|-------|---------| | October 2022 | Trail of Bits | Implementation security assessment — cryptography and networking | Findings remediated in v4.2 (November 2022) | | July 2024 | Trail of Bits | Cryptographic protocol review — design of SMP, agent, chat layers | Findings remediated and shipped in v6.1 (October 2024) |
The October 2022 review is the first third-party check on the implementation. It produced a Trail of Bits report (blog/20221108-simplex-chat-v4.2-security-audit-new-website.md) that the SimpleX team publicly cited as the basis for v4.2 hardening. The July 2024 review (blog/20241014-simplex-network-v6-1-security-review-better-calls-user-experience.md) is the deeper, more interesting one — it examined the *design* of the cryptographic protocol, not just its implementation. Trail of Bits is one of the most reputable names in applied cryptography review; their willingness to sign off on the PQ-on-every-ratchet-step design is not a rubber stamp.
The next external review is publicly scheduled for "early 2025" per the SECURITY.md policy. The pattern is roughly biennial. A protocol that is not being audited is a protocol whose bugs are not being found.
The funding, the unusual clauses
Two pre-seed rounds, both small by Silicon Valley standards, both carrying the same load-bearing clause.
Round 1 (July 2022, Village Global): ~$370,000. Village Global is an early-stage venture fund whose LPs include founders of major internet companies. Lead at Village was Ben Casnocha. The unusual clause: no board seat, no control provisions. Evgeny Poberezkin runs the company independently. Casnocha is quoted in the v6.0 blog (blog/20240814-simplex-chat-vision-funding-v6-private-routing-new-user-experience.md) explicitly rebutting the LP-influence concern: "LPs... are financial investors in our fund and exert no control or influence on any of the underlying portfolio companies." In a year when VC-backed privacy companies routinely dilute founders via preference stacks and protective covenants, this clause is a structural signal — the founders chose money that would not try to redirect them.
Round 2 (August 2024): $1.3 million from Jack Dorsey and Asymmetric Capital Partners. This is the round that got press coverage. Dorsey discovered SimpleX in 2023 and endorsed it publicly on Twitter and Nostr. His tweet: "Better than Signal? Looks promising. A few bugs and UX issues but great foundation. Love that it's public domain." His Nostr post was warmer still: "A full day with @SimpleX Chat… Finally, some competition for Signal, and in a permissionless way." Asymmetric's Rob Biederman and Sam Clayman pitched the round as positioning SimpleX as a "de facto Internet standard for private and secure communications" — explicitly framed as an email replacement under AI-driven phishing pressure. Same clause: no board seat, no control provisions. Same posture.
Two rounds, ~$1.67M total disclosed funding, two independent sets of investors, both rounds structured to preserve founder control. This is not common.
timeline
title SimpleX organizational milestones
2021 : Full-time development begins
2022 : Village Global pre-seed (~$370K, no control)
2022 : Trail of Bits implementation audit (Oct)
2023 : Dorsey public endorsement
2024 : Trail of Bits cryptographic protocol review (Jul)
2024 : Dorsey + Asymmetric pre-seed ($1.3M, no control)
2024 : Heather Meeker engaged for non-profit governance
2025 : 12 law-enforcement requests received; 0 records produced
2026 : TRANSPARENCY.md revised (Feb 9)The non-profit trajectory
The most structurally interesting commitment is the announced migration to open-source non-profit governance. Heather Meeker — a US technology lawyer specializing in open-source licensing, founder of techlawpartners.com, and the drafter behind several major OSS foundation charters — was engaged in the August 2024 round. The 2024 v6.0 blog post explicitly cites Matrix as the governance model:
"to set up an open-source governance model to some extent similar to how Matrix did it"
Matrix Element is owned by Element.io but the protocol is stewarded by the Matrix.org Foundation, a UK-registered charity. The SimpleX team is signaling an analogous split: a commercial entity for product development, a non-profit entity for protocol stewardship. Investors agreed to a structure whose endgame may dilute their equity claims. That is not the usual VC posture.
The transition has not completed as of early 2026 — there is no public filing of a non-profit entity — but the structural commitment is on the record.
The warrant canary, named honestly
The number that ties everything else together is in docs/TRANSPARENCY.md, revised 2026-02-09:
2025: "Received 12 law-enforcement requests from various countries. Result: No responsive information was identified/provided."
2024: "Enquiries from several law enforcement agencies seeking information on our procedures." Reply: requests considered under UK law.
Twelve requests in a calendar year, zero records produced. This is not a refusal to comply. The architecture leaves nothing to comply with. The reader who has followed E01 and E02 should now see the chain of causation: pairwise queues → no user records → 12 requests, 0 disclosures → the number is the architectural residue.
For comparison: Signal publishes an annual transparency report with request counts in the high hundreds and a small but nonzero number of disclosures. Telegram publishes selective data. iMessage publishes nothing. SimpleX's 12 is in the same order of magnitude as Apple or Proton's *substantive* disclosures — because most subpoenas are looking for an account record, and SimpleX has no account record to find.
The honest tension
The structure has costs. The transparency report is revised approximately annually; the cadence is conservative. The non-profit migration has been "in progress" since August 2024 with no public entity formed as of early 2026. The Trail of Bits reviews are biennial, which is faster than most peer projects but slower than would be ideal for a security-critical codebase. None of these are accusations — they are the realistic pace of a small team building infrastructure. They are also the parts a critic will point to as evidence of fragility.
What the structure does *not* have: a board that can override the no-identifiers design. A controlling investor who can pivot the company to advertising. A history of regulatory pressure resulting in policy changes. The architecture and the organization are mutually reinforcing — the org can't compromise the design without violating the funding clauses, and the design can't be quietly downgraded because the org can't issue a directive to do so.
What changed my mind
I came into this chapter assuming the privacy network's organizational posture was secondary to the code. After reading the funding structure, the audit cadence, and the 2025 disclosure number in sequence, I have changed the priority. The code defines what is possible; the organization defines what survives. SimpleX's investors have signed documents that constrain them from interfering with the no-identifier design. The non-profit migration plan, if executed, will lock that constraint into perpetuity. The 12-and-0 disclosure record is the proof that the constraint, today, is binding.
E04 closes the series by accounting for the price — what the architecture takes from the user, and when it is the right tool.
---
References:
docs/ABOUT.md— minimal "About" page, no team names by design.docs/TRANSPARENCY.md— 2025 law-enforcement request figures and UK jurisdiction.docs/SECURITY.md— coordinated disclosure timeline and threat model boundaries.blog/20221108-simplex-chat-v4.2-security-audit-new-website.md— Trail of Bits October 2022 implementation audit.blog/20241014-simplex-network-v6-1-security-review-better-calls-user-experience.md— Trail of Bits July 2024 cryptographic protocol review.blog/20240814-simplex-chat-vision-funding-v6-private-routing-new-user-experience.md— Dorsey/Asymmetric round details and the "no control provisions" clause.blog/20230422-simplex-chat-vision-funding-v5-videos-files-passcode.md— Village Global pre-seed context and business model.