Zero Trust

Security, made clear.

A readable overview of how we protect your files — no jargon, nothing hidden. For the full details, download the whitepaper or the CREST security certificate.

Independent verification

Grey box penetration testing + CREST certificate

Our application successfully passed a grey box penetration test carried out by Cyberglobal. We passed every test and were awarded the prestigious CREST certificate, guaranteeing the highest product security and adherence to market-standard security best practices.

End-to-end encryption

Every file is encrypted on your device before it leaves. Keys never leave the client. What reaches our servers is just encrypted data — unreadable to us and anyone else.

Zero Knowledge

We cannot read your data. We have no keys, no backdoors, no magic "reset button" to access your content. It's a technical constraint, not a marketing promise.

Zero Trust architecture

No user, system or service gets implicit access. Every request is authenticated, authorized and logged. The principle is simple: trust nothing, verify everything.

01

What "end-to-end" means to us

Encryption happens on your device — plaintext never travels. When you upload a file, the browser or app turns it into encrypted data using a key only you hold. When you download it, the reverse happens. In between there's no moment our servers can read the content.

  • Industry-standard algorithms (AES-256-GCM for data, RSA/ECC for keys).
  • Private keys stay on your device — never on our servers.
  • Sensitive metadata (folder names, structure) is also encrypted client-side.
02

Where your data lives

S3-compatible storage, exclusively in European data centres, with multi-zone replication. Data is encrypted at rest (with the customer's key) and in transit (TLS 1.3). No non-EU transfers, ever.

  • 100% EU infrastructure — GDPR and NIS2 compliance by design.
  • Multi-AZ geographic replication with 99.99% availability SLA.
  • Additional at-rest encryption on top of client-side E2E encryption.
03

Who can see what

The workgroup is isolated. External guests only see folders they've been invited to — the rest of the organization is completely invisible to them. Permissions are granular (read, upload, download, chat) and links can have passwords and expiry dates.

  • Per-folder permissions, not workspace-wide.
  • Links with automatic expiry and instant revocation.
  • Signed audit log of accesses, shares and edits — exportable for GDPR audits.
04

Compliance and certifications

We build the product around European regulations, not as a compliance layer added later. GDPR, NIS2, AGID — requirements are baked into the architecture, not into a checklist.

  • GDPR — zero non-EU transfers, DPA available for all business plans.
  • NIS2 — compatible with requirements for essential and important entities.
  • Grey box penetration testing by Cyberglobal, an independent third party — CREST certificate issued.
05

What happens if you delete your account

You have 30 days to export all your data. After that, it's permanently deleted from our replicas. Since it's end-to-end encrypted, even residual backups are unreadable without the customer's keys — which are destroyed when the account is closed.

06

What we DON'T do

Transparency also means listing what we cannot or will not do:

  • We don't read your files — we can't, even if we wanted to.
  • We don't sell data to third parties, don't use it to train AI models, don't profile you.
  • We don't keep "master keys" or privileged access to content.
  • We don't move data outside the EU — not for backups, not even temporarily.

Specific technical questions?

For DPA requests, internal audits, SSO integrations or industry-specific compliance requirements, get in touch. We reply within 24 working hours.