Security & Trust
How the platform protects your data — and how you can verify it. Four pillars of trust, each backed by cryptographic guarantees enforced by the architecture.
How the platform protects your data — and how you can verify it. Four pillars of trust, each backed by cryptographic guarantees enforced by the architecture.
Zero-Knowledge Boundary
Sensitive document content, metadata, and relationship associations are protected by the architecture — not by policy. Client-side encryption, blind cryptographic tokens, and hardware-isolated enclaves ensure the server handles ciphertext and tokens, not plaintext.
Learn more about Zero-Knowledge Boundary
Encryption Guarantees
Client-side encryption before upload, per-document unique keys, enclave-limited plaintext processing, and a hybrid classical + post-quantum design for key transport — protecting against both current threats and future quantum attacks on long-lived data.
Learn more about Encryption Guarantees
Enclave Architecture
All server-side plaintext processing happens inside a hardware-isolated enclave with no direct network access and no persistent storage. The enclave proves its identity through attestation before all key operations — a cryptographic guarantee, not a policy check.
Learn more about Enclave Architecture
Audit Log Integrity
Security-relevant events are encrypted, chained, and verifiable. The HMAC-linked chain makes tampering immediately detectable — a single modified entry breaks the entire chain forward.
User Profile
Fetch and update your authenticated user profile. The server stores your display name as an encrypted blob it cannot read.
Enclave Architecture
A guide to the hardware-isolated secure enclave — the trusted execution environment that processes sensitive data without exposing it to the broader server infrastructure.