Docs Security Terms

Security Architecture

How we keep your data completely inaccessible to everyone except you.

How Encryption Works

When you type your secret into SecLink, the encryption happens entirely inside your browser before the data is ever sent over the internet. We use the Web Crypto API, a highly secure standard built directly into modern browsers.

When you click "Create Secure Link", your browser generates a random cryptographic key. It then uses this key to scramble your secret into an unreadable "blob" of data using AES-256-GCM encryption. The server only receives this scrambled blob. The key itself is placed in the link after the # symbol. Because web browsers never send anything after the # to the server, the server never sees the key.

Why Zero-Knowledge Matters

Zero-knowledge means we literally do not possess the ability to read your data. Even if a rogue employee or a hacker compromised our servers, they would only find scrambled, meaningless text. Without the key (which is only on the link you shared with the recipient), the data is impossible to decrypt.

What We DO Store

  • The Encrypted Blob: The scrambled text of your secret.
  • Initialization Vector (IV): A random string needed for AES-256 decryption.
  • Metadata: Expiration times and view limits.
  • Passcode Hashes: If you use a passcode, we store an irreversible mathematical hash of it to verify access, not the passcode itself.

What We NEVER Store

  • The Plaintext Secret: We never see your raw, unencrypted message.
  • The Decryption Key: Keys remain entirely on your device and the link.
  • Your IP Address: We securely hash all IP addresses to prevent abuse without tracking your identity.

Our Threat Model

We actively protect against: Server compromises, database leaks, man-in-the-middle attacks, malicious employees, brute-force access attempts, and network snooping.

What We DON'T Protect Against

We cannot protect against a compromised receiver device. If the person you are sending the link to has malware, a keylogger, or a compromised browser, their device could steal the secret after they decrypt it. SecLink ensures safe transit, but the endpoints must be trusted.

Security Contact

If you believe you have found a security vulnerability in SecLink, please contact us immediately at security@datafort.cloud. We take all reports seriously.

Note: No professional security audit has been conducted yet. While we follow industry-standard cryptography practices, use at your own risk.