Security and Privacy

Built on a foundation of privacy. We offer robust protection for every user out of the box, with optional high-security features for those who want total cryptographic isolation.

Standard Protection

Industrial-grade security for the modern professional. Fast, reliable, and secure syncing across all your devices.

Encrypted at Rest Industry-standard AES-256 encryption protects your data on our secure servers.
Encrypted in Transit Every byte moved between your device and our cloud is shielded by TLS 1.3.
Managed Backups Automated redundancy ensures you never lose access to your important work.

End-to-End Encryption

Total privacy. Only you hold the keys to your data. Even if our servers were compromised, your content remains invisible.

Zero-Knowledge Architecture We store your data, but we can't read it. We have no mathematical way to access your content.
Client-Side Processing Encryption and decryption happen locally on your device. Your plaintext never touches our network.
Personal Passphrase Your data is derived from a key only you know. Not even our developers can reset this for you.

Technical specification

Authenticated AES-256

Encryption Standard

Cards are sealed with AES-256-GCM. Every byte of data is cryptographically signed, meaning the system detects and rejects any unauthorized modifications instantly.

Anti-Brute Force KDF

Key Derivation

Keys are derived via PBKDF2 stretching. By enforcing 100,000 computation cycles per login, we make "dictionary" attacks against your passphrase effectively impossible.

Zero-Knowledge Trust

Privacy Model

Your master passphrase is Client-Side Only. It is never sent to our servers, not even in encrypted form. We provide the vault, but you hold the only key in existence.

Perfect Forward Secrecy

Network Security

All traffic is routed through TLS 1.3. Even if a future session key were compromised, your historical data remains protected by rotating session parameters.