A readable overview of how we protect your files — no jargon, nothing hidden. For the full details, download the whitepaper or the CREST security certificate.
Our application successfully passed a grey box penetration test carried out by Cyberglobal. We passed every test and were awarded the prestigious CREST certificate, guaranteeing the highest product security and adherence to market-standard security best practices.
Every file is encrypted on your device before it leaves. Keys never leave the client. What reaches our servers is just encrypted data — unreadable to us and anyone else.
We cannot read your data. We have no keys, no backdoors, no magic "reset button" to access your content. It's a technical constraint, not a marketing promise.
No user, system or service gets implicit access. Every request is authenticated, authorized and logged. The principle is simple: trust nothing, verify everything.
Encryption happens on your device — plaintext never travels. When you upload a file, the browser or app turns it into encrypted data using a key only you hold. When you download it, the reverse happens. In between there's no moment our servers can read the content.
S3-compatible storage, exclusively in European data centres, with multi-zone replication. Data is encrypted at rest (with the customer's key) and in transit (TLS 1.3). No non-EU transfers, ever.
The workgroup is isolated. External guests only see folders they've been invited to — the rest of the organization is completely invisible to them. Permissions are granular (read, upload, download, chat) and links can have passwords and expiry dates.
We build the product around European regulations, not as a compliance layer added later. GDPR, NIS2, AGID — requirements are baked into the architecture, not into a checklist.
You have 30 days to export all your data. After that, it's permanently deleted from our replicas. Since it's end-to-end encrypted, even residual backups are unreadable without the customer's keys — which are destroyed when the account is closed.
Transparency also means listing what we cannot or will not do:
For DPA requests, internal audits, SSO integrations or industry-specific compliance requirements, get in touch. We reply within 24 working hours.