All communications are E2EE. Contact lists are encrypted using your login PIN and the server does not have access to them. Personal profiles are also encrypted and only shared with contacts who add you.
Signal has minimal metadata when [Sealed Sender]( is enabled. The sender address is encrypted along with the message body, and only the recipient address is visible to the server.
[Sealed Sender]( is only enabled for users on your contact list but can be enabled for all recipients with the increased risk of receiving spam.
The protocol was independently [audited]( in 2016. The specification for the Signal protocol can be found in their [documentation](