Security

The whole project is based on a simple premise: The less we know, the better.

All messages are stored encrypted using AES-256, using a 512 bit password hash.
After a secret has been viewed, we delete it permanently from our database. There is no backup.
If a password is provided, we use it to encrypt your secret on the client - in other words, there is no way of decrypting your message, since we don't even store a hash of your password. Even with the most advanced attacks (e.g. man in the middle attack) or access to all our infrastructure an attacker couldn't read your message.
As little third-party code as possible. No Google, no Facebook, no cookies, no tracking.
All code is open-source on Gitlab. Dependencies are updated regularly.

We chose industry leaders to host our infrastructure: