Secure crisis hotline
for the people who need it
Llámenos is open-source hotline software that protects callers and volunteers. HPKE-encrypted notes, 8-provider telephony, 5 messaging channels, and a zero-knowledge architecture — so sensitive conversations stay private.
Built for crisis response
An extraordinary depth of capability — every decision made with activists, organizers, and their adversaries in mind.
Security-first architecture
Reviewed by a Signal cryptographer. Every cryptographic decision is intentional, documented, and auditable.
HPKE (RFC 9180)
X25519-HKDF-SHA256-AES256-GCM — the same hybrid encryption standard used in MLS and TLS 1.3. Replaced ECIES entirely.
Per-note forward secrecy
Every note uses a unique random key, HPKE-wrapped per authorized reader. Compromising any key reveals nothing about past notes.
57 domain separation labels
Every crypto operation has a unique context string (Albrecht defense). No two operations share a key derivation path.
Client-side Whisper transcription
Call transcription runs entirely in the browser via WASM. Audio never reaches the server — not even the encrypted audio.
PIN-encrypted device keys
600,000 PBKDF2 iterations + XChaCha20-Poly1305. Private keys live only in an in-memory closure — never in sessionStorage or disk.
Reproducible builds + SLSA
SLSA provenance, SBOM, cosign signing, SOURCE_DATE_EPOCH. Any release can be verified byte-for-byte against the published checksums.
8 telephony providers, your choice
Cloud or fully self-hosted. Switch providers without code changes. No CDR data forced to any third party.
6 cloud providers
Twilio, SignalWire, Vonage, Plivo, Telnyx, Bandwidth — configure via admin UI. Mix providers across hubs.
Self-hosted SIP
Asterisk and FreeSWITCH via ARI/ESL/Kamailio bridge. No cloud dependency, no call records leaving your server.
Parallel ring
Every on-shift volunteer rings simultaneously. First pickup wins. Queue with hold music if all are busy.
WebRTC browser calling
Volunteers answer calls directly in the browser. No phone required. Provider-specific WebRTC token generation.
5 messaging channels, unified inbox
SMS, WhatsApp, Signal, Telegram, and RCS — all routed through a single encrypted conversation view.
Full Signal integration
Receipts, reactions, typing indicators, identity trust, retry queue, and failover. A complete Signal client, not just send/receive.
WhatsApp + SMS
Meta Cloud API (Graph v21) for WhatsApp. SMS via 4 providers. Template support, media messages, inbound webhooks.
Telegram + RCS
Telegram Bot API and RCS/Google RBM for rich messaging. All channels share the same encrypted conversation model.
Blast/broadcast
PostgreSQL-backed delivery queue with per-channel rate limiting, scheduled sends, and per-recipient status tracking.
Three native platforms, one crypto crate
One auditable Rust implementation compiled to native, WASM, and UniFFI. Not three separate implementations.
Desktop (Tauri v2)
Windows, macOS, and Linux. Tauri Stronghold encrypted vault. Native system tray, auto-updates, single-instance enforcement.
iOS (SwiftUI)
Native SwiftUI, iOS 17+. Keys in the iOS Keychain. Rust crypto via UniFFI XCFramework — same code as desktop.
Android (Kotlin/Compose)
Native Kotlin/Compose, minSdk 26. Android Keystore. Rust crypto via JNI — same crate, different target.
Template-driven case management
Nothing is hardcoded to any use case. Entity types, report types, fields, and views are all configurable per hub.
Custom templates
Define entity types, report types, and custom fields per hub. Templates drive all forms and views — no code changes needed.
Encrypted blind-index search
Search encrypted records without exposing plaintext to the server. HMAC-indexed fields, scoped per hub.
Multi-hub
One installation, many lines. Volunteers and admins can be members of multiple hubs simultaneously.
Relationships + evidence
Link contacts, cases, events, and evidence. Full relationship graph with encrypted fields throughout.
Self-hosted, GDPR-ready
Your server, your data. Three deployment paths, from single-server to Kubernetes cluster.
Docker Compose
Single-server deployment in minutes. PostgreSQL, MinIO, strfry Nostr relay, and all sidecars included.
Kubernetes (Helm)
Production Helm chart with health probes, Prometheus ServiceMonitor, Caddy ingress, and Ansible preflight playbooks.
Co-op Cloud + GDPR
Co-op Cloud recipe for community organizations. EU-compatible data handling, right to erasure, Cloudflare Tunnels ingress.
See it in action
A modern, responsive interface designed for crisis response. Works on desktop and mobile.
Real-time overview of active calls, volunteer presence, and shift status.
Honest about security
We publish exactly what is encrypted, what isn't, and what the server can see. No hand-waving. HPKE (RFC 9180) replaces ECIES. Per-note forward secrecy means compromising a key can't reveal past notes. 57 domain separation labels prevent cross-protocol attacks. Audio never leaves your browser. Read the full security model.
Read the security modelReady to deploy?
Llámenos runs on your own servers — Docker Compose for single-server, Helm for Kubernetes. Get a hotline running in under an hour.