πŸ”’

Privacy and Security

Your tasks are encrypted on your device with keys we never hold. Authorization is enforced by signatures, not database flags. This page tells you exactly what our servers can and cannot see.

πŸšƒ The trust boundary | What we don't claim πŸšƒ

πŸ—ΊοΈ

The Trust Boundary

Every task and comment is encrypted client-side before upload. What crosses the wire is ciphertext, signatures, and sealed keys. The server's job is not to read your data β€” it's to verify it.

Your devices

The Plaintext Zone

Tasks, comments, tags, and grant rules are readable here β€” and only here.
Keys are generated on-device; secrets live in a vault sealed under your passphrase.
All encryption and signing happens before anything leaves.
ciphertext β†’
signatures β†’
sealed keys β†’
← verified log
Our servers

The Ciphertext Zone

Every operation arrives cryptographically signed. We check the signature, the author's membership, and the author's capability chain before accepting a single byte into the log.
We store ciphertext, sealed keys, and the signed operation log. We hold no content keys.
πŸ›‘ The Publish Bridge
The one labeled gate out of the encryption boundary. Sharing a track beyond its encrypted membership is a per-track, explicit act. It never happens as a side effect.

The second deliberate exception is metadata: like every E2EE system, we see the shape of your activity even though we can't see its content. We enumerate exactly what below, instead of hoping you won't ask.

What Our Servers Can and Cannot See

Cannot See

Task and comment content
Any content-encryption key β€” DEKs or track KEKs
Your identity's secret keys β€” the vault is sealed with a key derived from your passphrase
Which repository or issue an automation watches β€” hidden behind an HMAC
The rule defining what an agent's grant covers

Can See

Track IDs, member public keys, and roles β€” the membership graph
Object counts, version counts, sizes, and timestamps
Which members and agents hold keys to which objects β€” but never the keys themselves
The signed operation log itself: who committed, when, and how much
Which item IDs an agent's grant was materialized onto

That right-hand column is our honest metadata disclosure. If your threat model requires hiding the membership graph itself, we're not there yet β€” and we'd rather tell you that here than in your pentest report.

πŸ”’

The Cryptography

Every AEAD invocation carries associated data pinning the ciphertext to its exact place in the system β€” a sealed key cannot be replayed across tracks, recipients, epochs, or purposes, because the AAD won't match.

Content encryption
AES-256-GCM Β· fresh random 256-bit key per item version Β· random 96-bit nonces Β· associated data binds every ciphertext to its track, item, version, and key epoch
Signatures
Ed25519 with strict verification Β· malleable and mixed-order-point signatures rejected
Key sealing to members
ECIES: ephemeral X25519 β†’ HKDF-SHA256 (domain-separated, bound to both public keys) β†’ AES-256-GCM Β· contributory-behavior check on the shared secret
Identity vault (passphrase β†’ key)
Argon2id Β· 64 MiB memory / 3 iterations Β· parameters frozen into the vault format
Hashing & integrity
SHA-256 Β· content-addressed ciphertext blobs, integrity verified on upload
Canonical encoding
Deterministic CBOR (RFC 8949 Β§4.2.1) for every signed or hashed structure β€” no signature ambiguity

The Key Hierarchy

Identity keys β€” Ed25519 + X25519, per user
Generated on-device. Secrets live in a vault encrypted under an Argon2id-derived key; the server stores the vault but cannot open it.
↓ seals
Track keys (KEKs) β€” 256-bit, per track per epoch
Sealed individually to each human member's sealing key. Removing a member bumps the epoch and re-seals in the same operation β€” no lazy rotation.
↓ wraps
Content keys (DEKs) β€” fresh per item version
A new random key for every version of every item, wrapped under the current track key β€” and sealed item-by-item to granted agents.
↓ encrypts
Your content β€” AES-256-GCM ciphertext
The only form in which tasks and comments ever reach our servers.

Who Can Decrypt What

An edge is a key you hold. A missing edge is ciphertext you can't read. Three tracks, three humans, one agent β€” trace any path yourself.

MEMBER DEVICES β€” the only place plaintext and unsealed keys exist
OUR SERVERS β€” sealed keys and ciphertext only
deploy-bot Β· service
own keypair Β· no KEK, ever
Alice Β· admin
Ed25519 sign Β· X25519 seal
Bob Β· member
Ed25519 sign Β· X25519 seal
Charlie Β· member
Ed25519 sign Β· X25519 seal
Launch β€” track KEK
sealed to Alice + Bob
Compliance β€” track KEK
sealed to Bob + Charlie
Alice / Private β€” KEK
sealed to Alice alone
Launch Β· task 2
DEK2 wrapped by KEK Β· also sealed to deploy-bot
Launch Β· task 1
DEK1 wrapped by Launch KEK
Compliance Β· task
DEK3 wrapped by Compliance KEK
Private Β· task
DEK4 wrapped by Private KEK
unseals β€” X25519 β†’ HKDF β†’ AES-GCM
unwraps DEK
per-item, per-version DEK grant only
a key you hold
per-item grant
no line β€” ciphertext you can't read
πŸ›‘ Charlie holds no edge into Launch β€” to him it's ciphertext.
πŸ›‘ Bob holds no edge into Alice / Private.
πŸ€– deploy-bot reaches one task β€” never a track key.
πŸ€–

Built for Agents β€” On Your Terms

For teams already deploying AI agents against real systems. You choose how much an agent sees β€” a full seat beside you or a single task β€” and either way, revoking it is one operation, not a key-rotation ceremony.

A full seat
Design and Build With You
Through the CLI, an agent can hold the same read and write access a member has over their tracks in the browser. Members can fully leverage their agents. Granular RBAC defines which tracks the member (and their agents) work in.
A single task
Scoped Down by Grant
Or, give agents fine permissions. Designated keypair, specific operations on specific items, read/write or read-only β€” not the track key. Content keys are sealed item by item, and the server rejects any commit that under- or over-shares them.
Admin control
Your Org, Your Standards
Org admins set the ceiling: disable CLI access entirely, configure granular RBAC per track, and layer enterprise controls like browser automation allowlists to meet your compliance bar. Revocation stays one op, no key rotation.

Every Chain Ends at a Human

Human admin
full track roles, self-issued root
β†’ delegates β†’
Agent
one grant, listed items, expiring capability

Capability tokens can only narrow or stay the same at each hop β€” never widen β€” and are verified server-side on every operation. The root must be signed by a human β€” agent authority is always auditable back to a person.

πŸš‰

Two Ways Aboard

A human member and a service agent join by different doors. One receives the track key; the other never does β€” follow either protocol step by step.

Adding a Human

member.add.v1 Β· Dana joins, sealed the track key
Dana β†’ Dana
Generates her Ed25519 + X25519 identity on her own device.
Dana β†’ Server
Stores a passphrase-encrypted key vault β€” opaque to us.
Alice β†’ Alice
Unseals the current KEK (epoch n) and seals it to Dana's public key. Older epochs are optional β€” including them is the explicit "does she get pre-join history?" decision.
Alice β†’ Server
Signed commit: member.add β€” roster row, sealed KEKs, her capability.
Server checks
Envelope signature Β· Alice is an active admin Β· the capability chain roots and only narrows Β· Dana's current-epoch KEK is present, no future epochs Β· state-root compare-and-swap.
Dana β†’ Server
Signs an HMAC challenge with her Ed25519 key β†’ a 24-hour session token, then fetches her sealed KEKs and the encrypted objects.
Dana β†’ Dana
Unseals the KEK β†’ unwraps DEKs β†’ reads the track. Plaintext exists only here.

Granting an Agent

grant.create.v1 Β· deploy-bot gets in β€” no KEK, ever
Alice β†’ Server
Signed commit: grant.create β€” the bot's public key, allowed op types, a read flag. The grant's selection rule stays encrypted; we never learn what it covers.
Alice β†’ Bot
Delegates a capability scoped to the grant β€” chained from her admin capability, attenuate-only, 1-day TTL.
Server rule
From now on, any commit touching granted items must seal a DEK to the bot β€” and to no one extra. Under- or over-sharing is rejected.
Alice β†’ Server
Her next write on a granted item: fresh DEK, wrapped by the KEK and sealed to the bot.
Bot β†’ Server
Challenge/response β†’ session token; fetches the item and its sealed DEK.
Bot β†’ Bot
Unseals the DEK β†’ decrypts that one item. It has no path to anything else.
Bot β†’ Server
Writes back: encrypts under a fresh DEK, seals it to every active human β€” it holds no KEK to wrap with. The server verifies the capability chain, grant liveness, op-type scope, and that the sealed-DEK set is complete.
Alice β†’ Server
Revocation: one grant.revoke commit. The bot's next request fails the liveness re-check β€” instant cutoff, no key rotation.
πŸ›‘ Removal Is the Mirror
Removing a human advances the track an epoch: a brand-new KEK is sealed to every remaining member, and the server verifies that re-seal batch is complete before accepting the removal β€” the leaver reads nothing written afterward. Removing an agent rotates nothing, because it never held the key.

We Can't Grep Our Own Database for Your Email

Email addresses are stored as AES-256-GCM ciphertext, with lookups going through a keyed blind index (HMAC-SHA256). Invitation addresses get the same treatment.
The blind-index key and the email-encryption key are separate keys β€” no primitive-crossing key reuse β€” sourced from a secrets manager, never from code or config files.
Fail-closed by design: if either key is missing at startup, the server logs the error and refuses to boot. There is no silent degraded mode for data protection.
πŸ‡ͺπŸ‡Ί

The Platform

A small, memory-safe surface served from EU infrastructure β€” the API, the crypto core, and the browser client share one memory-safe codebase.

No Data Processors, No Cookies
No third-party data processors touch your data, and we set no cookies β€” no analytics, no trackers. Compliance reviews are fast and simple.
Small, Contained API
One compact service, a hard 4 MiB request cap, per-uploader quotas with garbage collection, and content-addressed blobs verified on upload. Unauthorized blob reads return 404 β€” never confirming existence.
Guarded Egress
Outbound webhooks pass an SSRF filter: HTTPS only, with loopback, private, link-local, CGNAT, and reserved ranges blocked across IPv4, IPv6, and IPv4-mapped forms β€” at registration and at send time.
Strict Browser Policy
A Content-Security-Policy whose script allowlist is 'self' plus SHA-256 hashes of the exact shipped assets β€” no unsafe-inline, no unsafe-eval β€” alongside HSTS, nosniff, denied framing, and a strict referrer policy.
Supply Chain Analysis in CI
Every change is checked against a security advisory database in CI, with strict lints (warnings denied) and the full test suite.
Memory-Safe, Top to Bottom
A memory-safe language everywhere β€” the browser client compiles to WebAssembly from the same codebase. The class of memory-corruption CVEs behind most infrastructure exploits is off the table.
πŸ›‘

What We Don't Claim

You're evaluating a security product; here is the other side of the ledger, current as of July 2026.

No third-party audit or certification yet. No SOC 2, no ISO 27001, no external cryptographic review, and we do not sign BAAs. If you need those today, we're not ready for you yet β€” talk to us about timelines.
Metadata is visible. Membership graphs, activity timing, and object counts are not hidden from us β€” see the disclosure table above.
Rotation is forward-only. Member removal protects the future, not the past.
Found something? See /.well-known/security.txt. We answer researchers.

πŸšƒ Talk to us about timelines | Re-read the boundary πŸšƒ