All secrets are end-to-end encrypted using AES-256-GCM. The encryption key is generated on your device and embedded in the link — it never reaches our servers. Without the full URL, nobody — including us — can decrypt your message.
Optional password protection adds a second encryption layer. Even with full access to our infrastructure, an attacker cannot read your secret. After a secret is viewed, it is permanently deleted. No backups.
Security reports (live)
Security risk assessments
Click to verify third-party audits in real-time.
Security by Design
Zero Trust Architecture
We assume no entity — internal or external — is inherently trustworthy. Every request is verified.
End-to-End Encryption
Secrets are encrypted on your device before transmission using AES-256-GCM. The server never sees plaintext.
Minimal Attack Surface
We limit services, entry points, and dependencies to reduce exposure. Less complexity means fewer vulnerabilities.
Regular Updates
Dependencies are kept up to date and monitored for known CVEs to close vulnerabilities before they can be exploited.
Full Transparency
All code is open-source on GitHub. Anyone can audit the implementation.
Automated Security Testing
Automated tools scan for vulnerabilities in dependencies on every push. Issues are caught before they reach production.
Infrastructure
We rely on a small number of trusted, audited providers — no unnecessary third parties.
| Provider | Role | ISO 27001 | GDPR | SOC 2 Type II |
|---|---|---|---|---|
| Vercel Inc. | Website & API hosting | |||
| Neon Inc. | Postgres database | |||
| Flow Swiss AG | Object storage (files) |
Responsible Disclosure
Security is a priority for us — if you spot a vulnerability, we'd appreciate a responsible disclosure to security@scrt.link so we can patch it before users are impacted. Helpful reports outline the issue and its potential impact, how to reproduce it, and any supporting proof-of-concept code or screenshots.