Security

We never see your secrets.

doconvoy is built around a simple guarantee: your data is encrypted before it leaves your device, and our servers only store ciphertext we cannot read. This is an architectural property, not a policy.

End-to-end encrypted

Secrets are encrypted in your browser using AES-256-GCM before transmission. Decryption happens in the recipient's browser.

Client-side key management

Encryption keys are generated and managed on your device. The key is embedded in the share URL fragment — which browsers never send to servers.

Zero-trust design

Even a full compromise of our infrastructure would not expose your secrets. We don't have the keys needed to decrypt them.

Metadata separation

We store access timestamps, view counts, and audit events — but never the content of secrets or submissions.

What we don't claim

We don't have SOC 2, HIPAA, or ISO 27001 certifications at this stage. We're transparent about our current posture and provide the encryption infrastructure, audit trail, and documentation tools needed for organizations that need to demonstrate responsible data handling.

Responsible Disclosure

How to report a security vulnerability responsibly.