Element’s multi-tenancy TI-Messenger solution secures ‘Good’ rating in gematik commissioned pentest

February 17, 2026
TI-Messenger

Element’s multi-tenancy implementation of Synapse Pro has secured a Good rating in a penetration test commissioned by gematik, Germany’s national digital health agency.

The security analysis rating is an important milestone in the widespread adoption of gematik’s TI-M Pro standard, which creates a sovereign, interoperable and secure messenger for healthcare professionals, by embedding healthcare specific requirements on top of the decentralised Matrix open standard.

Gematik commissioned an external service provider to conduct the pentest. It used active exploitation techniques to assess the security status of Element's Synapse Pro multi-tenancy implementation - as used in Element Server Suite Pro for TI-Messenger - against best practice criteria, validate security mechanisms, and identify application-level vulnerabilities.

The resulting report found that: “The security of the tested application is rated as ‘Good’. Key interfaces of the Synapse Pro server, including both interfaces for Matrix clients and the server-to-server API, behaved in the examined solution in a manner consistent with a deployment scenario in which a dedicated Synapse instance is used for each tenant.”

The successful gematik pentest now brings external security validation to ESS Pro for TI-M, making it a proven and mature solution; ESS Pro for TI-M already being the server-side component in T-Systems’ TI-M ePA compliant communications solution for BARMER, which launched in July 2025.

A catalyst for local healthcare practitioners to adopt TI-Messenger

Multi-tenancy ESS Pro for TI-M is the first solution available to enable hosting providers to deliver a cost efficient TI-M Pro compliant service to family doctors, local clinics and high street pharmacies. 

Total cost of ownership efficiencies are driven by optimisations within Synapse Pro to reduce RAM usage and associated costs by around 90%, and server-side fleet management features to simplify the administration of thousands of multiple deployments.

For the first time, hosting providers now have a professional server-side solution to deliver affordable TI-M Pro compliant services profitably - even to small healthcare organisations with just a few employees.

A competitive marketplace is now ready to explode as healthcare technology providers race to provide TI-M Pro compliant communications to local healthcare providers. The ecosystem can now build their own frontend TI-M Pro clients, knowing that self-hosted ESS Pro for TI-M is a proven, cost efficient and secure solution backend.

Synapse Pro
Synapse Pro resource savings

The benefits of a professional server-side solution for TI-Messenger

Element Server Suite Pro for TI-Messenger (ESS Pro for TI-M) is the only standalone server-side product available for healthcare technology providers, enabling them to build their TI-Messenger solutions on top of a vendor-backed server built for TI-Messenger. It includes Synapse Pro, a TI-M Messenger Proxy, Push Gateway, dedicated Federation List Service for TI-M and stays aligned with evolving specifications.

Synapse Pro, an enhanced version of community Synapse, dynamically scales to save resources during low demand and automatically cover demand spikes to ensure performance. Resource savings for large single tenant deployments (meeting TI-M ePA standard) are typically in excess of 80%, and for multi-tenant (meeting the TIM Pro standard) are usually in excess of 90%. ESS Pro for TI-M also ensures stable operations with minimal downtime as it enables High Availability deployments, along with Element’s SLA, technical support and regular security updates. Perhaps most important for multi-tenancy deployments, ESS Pro for TI-M includes effective administration features to make it easy for a hosting provider to manage thousands of small hosts individually.

Organisations not using ESS Pro for TI-M have to build their own backend, typically by building from scratch on Element’s community FOSS Synapse implementation and then servicing the associated technical debt and maintenance burden. The community version of Synapse is not designed for commercial use. A host with just five end-users has a memory footprint of around 150MB, which is considerable for a service provider wanting to host 50,000 small hosts (for, say 50,000 local pharmacies) and makes providing such a service uneconomic. A subscription to ESS Pro for TI-M removes all of those challenges in an instant.

Multi-tenancy within ESS Pro for TI-M allows the pooling of resources, keeping costs predictable and performance consistent - while preserving the isolation each tenant requires. Each shard can support up to 50 tenants, with every tenant segregated at a database schema level. The solution is delivered with a Kubernetes controller to manage the shards and their tenants dynamically (via a tenant management API that is provided by Synapse Pro), and enables integration with continuous deployment tooling and GitOps processes for automation.

Similarly Element’s TI-Messenger Proxy is designed for performance, efficiency, and compliance. Built in Rust, it benefits from modern memory safety and concurrency models, reducing operational risk by eliminating data races. With an idle memory footprint of just 10 MB - compared to around 800 MB in the TI-M reference implementation - it is exceptionally resource efficient. The proxy fully complies with the latest TI-M Pro and TI-M ePA specifications, integrates with the FHIR Directory via a dedicated Federation List Service, and supports automatic, load-dependent scaling to ensure high availability and resilience.

A deep dive on multi-tenancy within ESS Pro for TI-M, given at Matrix Conference 2025.

Focus on your own frontend client

The successful pentest signals a game change for secure healthcare communications. With ESS Pro for TI-M providing a state-of-the-art server-side component for a TI-Messenger compliant solution, healthcare technology providers can focus their own development efforts on creating an outstanding frontend client for frontline healthcare professionals such as family doctors, local clinics and high street pharmacies.

Understanding and meeting healthcare professionals’ exact requirements will determine healthcare technology providers’ marketplace success, without having to focus on reinventing TI-Messenger server-side performance and features. Just as laptop and smartphone manufacturers work with semiconductor firms, the TI-Messenger ecosystem is now mature enough for healthcare technology providers to use highly specialised components as a part of their own overall solution.

Patrick Maier Patrick Maier

Related Posts

TI-Messenger
Large-scale multi-tenancy hosting for TI-Messenger and beyond
How do you effectively onboard hundreds of thousands of healthcare clinics and pharmacies to Germany’s TI-Messenger?
Patrick Maier
5/11/2025
TI-Messenger
TI-Messenger is moving to Matrix 1.15
Gematik recently announced its intention to rebase its TI-Messenger specification on Matrix v1.15, which brings important improvements to TI-Messenger.
Patrick Maier
17/09/2025
TI-Messenger
TI-Messenger goes live!
It’s a milestone week for Germany’s TI-Messenger initiative as public healthcare insurers go live with their TI-Messenger based solutions!
Steve Loynes
16/07/2025
TI-Messenger
Element powers T-Systems’ TI-Messenger solution
Element Server Suite Pro for TI-Messenger (ESS Pro for TI-M) gives T-Systems a complete backend for its #TI-Messenger solution, delivering outstanding performance, dynamic scaling and continuous security updates.
Steve Loynes
4/06/2025

By the same author

Element
ESS - Element’s distribution for Matrix deployments
ESS - Element’s distribution for Matrix deployments
Patrick Maier
26/11/2025
Releases
ESS 25.10: LTS, MAS migration and Element Admin
Element is rolling out ESS 25.10, delivering new LTS releases for ESS Classic, ESS Pro and ESS TI-M, alongside refreshed builds for ESS Community.
Patrick Maier
7/11/2025
TI-Messenger
Large-scale multi-tenancy hosting for TI-Messenger and beyond
How do you effectively onboard hundreds of thousands of healthcare clinics and pharmacies to Germany’s TI-Messenger?
Patrick Maier
5/11/2025
Element
Welcome to the all new Element Server Suite family of Helm charts!
Introducing the new Helm-based Element Server Suite (ESS) - our family of products designed as an “out-of-the-box” way to deploy, host and maintain a Matrix-based system.
Patrick Maier
16/10/2025

Element is the fast, simple and private way to communicate with family, friends, teams, colleagues, organisations and the wider world.

Thanks for reading our blog— if you got this far, you should head toelement.ioto learn more!

Get started

For Web, Android, iOS, macOS, Windows & Linux