Building trust in a zero-knowledge app: what to look for

Trust in a zero-knowledge app is hard: you’re told “we can’t see your data,” but how do you know? We don’t have a formal audit (yet), but we try to be transparent about design and behavior so you can reason about risk.

What to look for

• Clear description of what’s encrypted and where (client vs server).
• Use of standard crypto (e.g. AES-GCM, PBKDF2) and no “custom” ciphers.
• No password recovery that would require the provider to decrypt.
• Open design: we document what we store and how encryption works.

What we publish

We describe the flow (password → KDF → key → encrypt in browser, send ciphertext). We name algorithms and parameters. You can inspect network traffic: you’ll see ciphertext and metadata, never plaintext or keys. That doesn’t prove we never log—but it’s the baseline we’d expect from any serious zero-knowledge product.