What is Zero-Knowledge?

Zero-knowledge means we store your data without knowing what it contains. Encryption happens on your device using keys derived from your password. We never see your password or your encryption keys. We only store encrypted data that's mathematically impossible for us to decrypt.

Security Architecture

AES-256-GCM Encryption

Military-grade encryption standard used by governments and financial institutions. 256-bit keys provide 2^256 possible combinations - more than atoms in the observable universe.

Argon2id Key Derivation

Your encryption keys are derived from your password using Argon2id, the winner of the Password Hashing Competition. Resistant to GPU attacks and side-channel analysis.

Client-Side Encryption

All encryption and decryption happens in your browser or app. Your unencrypted data and encryption keys never leave your device. We only transport and store encrypted blobs.

Token-Protected Delivery

Delivery links expire, enforce access limits, and only expose encrypted vault data that recipients decrypt in their browser.

How Your Data is Protected

From upload to delivery, your data remains encrypted and inaccessible to anyone without the proper keys.

01

Local Encryption

You enter your data in our app. Before anything leaves your device, it's encrypted using AES-256-GCM with keys derived from your password.

02

Secure Transport

Encrypted data is transmitted over TLS 1.3 to our servers. Even if intercepted, the data is already encrypted with keys we don't have.

03

Distributed Storage

Encrypted blobs are stored in object storage and served only through authenticated owner requests or expiring delivery-token requests.

04

Recipient Delivery

When triggered, recipients receive secure tokens to access encrypted data. They decrypt it in the browser with the passphrase you shared separately.

Security Practices

Encrypted Storage

Vault content is encrypted before upload and stored as encrypted data that the server cannot decrypt without the passphrase.

Authenticated Access

Account routes require authentication, while recipient delivery uses expiring tokens with configurable access limits.

Deletion Controls

Vault and item deletion remove the database records and associated encrypted file objects from storage.

Audit Trail

Important account actions are recorded in the activity log for dashboard review.

Security FAQs

No. We use zero-knowledge architecture, meaning your data is encrypted on your device before it reaches our servers. We store only encrypted blobs that are meaningless without your keys. Even with a court order, we couldn't decrypt your data - we don't have the keys.

We use AES-256-GCM encryption, the same standard used by governments and financial institutions worldwide. Key derivation uses Argon2id, resistant to both GPU and side-channel attacks. All encryption happens client-side.

Multiple layers: client-side encryption ensures we can't access your vault contents, authentication protects your account, and delivery links are token-protected with expiry and access limits.

Even in the unlikely event of a breach, attackers would only access encrypted data that's useless without your keys. Your keys never touch our servers. This is the fundamental benefit of zero-knowledge architecture.

Your recipients need the passphrase you share separately, so critical recovery material should stay in an offline location you control. Vault contents remain encrypted at rest.

Enterprise Security.
For Everyone.

Every plan includes zero-knowledge encryption and our full security architecture.

Get Started FreeFree forever. No credit card required.