You control, programmatically, who can read and write messages. I need to understand your setup better, but generally you create users inside groups in Cord and only users of the group can read and write messages. You control authentication, so unless someone had access in your system to a customer's account, or to the project's secret key (which should only be stored on the server and never passed to clients), they wouldn't be able to view the message