Audited January 2026: 0 Vulnerabilities

Security by Design,
Not by Policy.

We don't ask you to trust our employees.
We ask you to trust the AES-256-GCM math that makes it impossible for us to read your data.

The Zero Knowledge Architecture

1. Your Browser

Secrets are encrypted locally using Web Crypto API. The decryption key is generated here and never leaves.

Encrypted Blob Only

2. Our Server

We store only the ciphertext (AES-GCM output). We cannot decrypt it because we never see the key (it's in the URL fragment #).

Cryptography Specs

We use industry-standard algorithms verified by the Web Crypto API. We do not roll our own crypto.

Encryption Algorithm

AES-256-GCM (Galois/Counter Mode)

NIST SP 800-38D Compliant

Key Derivation

PBKDF2 (SHA-256)

100,000+ Iterations for Passwords

Initialization Vector (IV)

12 Bytes (96-bit) Random IV

Unique for every single encryption

Infrastructure & Ops

Our security extends beyond code to our infrastructure and operational processes.

ISO 27001 Certified Hosting (Vercel / Hostinger)
Strict Content Security Policy (CSP)
Automated Dependency Scanning (npm audit)
Zero Analytics on Secrets (We trace usage, not data)

Latest Audit Log

Vulnerabilities0 Found

DependenciesStrict Mode

Environment CheckPassing

Data Lifecycle & Compliance

1. Ephemeral Storage

We do not want your data. All secrets have a strict Time-To-Live (TTL). Once expired, a scheduled worker hard-deletes the encrypted blob from our database.

2. Burn-on-Read

For "One-Time" secrets, the database record is nuked the instant it is accessed. Even if we wanted to restore it from a backup, the decryption key (which was in the URL) would be gone.

3. GDPR & Privacy

Since we cannot decrypt your content, we cannot "process" PII within secrets. We are a Blind Processor. We only store metadata (IP hash, timestamp) for abuse prevention.

CISO / Security FAQ

What happens if your database is compromised?

The attacker would receive useless encrypted blobs. Since the decryption keys are stored in the URL fragment (which is never sent to our servers), we do not possess the keys to decrypt the data, and therefore an attacker cannot steal them from us.

Do you have access to the secrets?

No. Our architecture is Zero Knowledge. The encryption happens in your browser before the data ever touches the network. We simply store the encrypted result.

How long do logs persist?

Application logs differ from Secret data. Secrets have a strict TTL (Time To Live) and are hard-deleted from the database upon expiry or viewing (for one-time secrets). Access logs are retained for 30 days for security auditing purposes but contain no PII or secret context.

Found a Vulnerability?

We take security reports seriously. If you have found a vulnerability in EnvShareApp, please report it immediately. We practice responsible disclosure.

Report a Security Issue

Security by Design, Not by Policy.