TRANSPARENCY REPORT

Exactly what's encrypted and what's not

No exceptions - every field, every algorithm, every limitation. No marketing here, just engineering facts.

💬

Message Content

ENCRYPTEDDead Drop message content

RSA-OAEP 2048 + AES-256-GCM

Encrypted on sender device, decrypted on recipient device

ENCRYPTEDFile attachments

AES-256-GCM

Encrypted before upload to storage

ENCRYPTEDOTP / Secure Channel

PBKDF2 (310K iterations) + AES-256-GCM

OTP stored as SHA-256 hash. Key derived from the OTP itself

🗄️

Sensitive DB Fields

ENCRYPTEDPII fields (name, email, phone, address)

AES-256-GCM (field-level)

Field-level encrypted in Supabase, key in GCP

ENCRYPTEDAdmin passwords

scrypt (N=16384, r=8, p=1, keylen=64)

Hash + 32-byte salt in DB. Cannot be reversed

ENCRYPTEDDevice tokens

SHA-256 hash

Hash stored in DB. Original token only on device

ENCRYPTEDIP addresses

SHA-256 hash

Only hash stored - raw IP is not persisted

🏗️

Infrastructure

ENCRYPTEDEnvironment variables (production)

Vercel encryption at rest

Vercel manages env var encryption. SOC 2 Type II certified

⚠️ Vercel employees can theoretically access

ENCRYPTEDCritical encryption keys

GCP Secret Manager

Cloud Run me-west1 (Israel). Separated from Vercel

ENCRYPTEDDB connection strings

Vercel + Supabase encrypted

Managed by Vercel Marketplace auto-provisioning

⚠️

What's NOT Encrypted

NOT ENCRYPTEDSession identifiers (session_id)

Random UUIDs - contain no sensitive info, used for state management

NOT ENCRYPTEDTimestamps

Audit log and tracking - required for SOC 2 compliance

NOT ENCRYPTEDAction types

"encrypt", "scan", "fix" - without the action content itself

NOT ENCRYPTEDAction counts

"79 fixes" - without detail of what they are

NOT ENCRYPTEDStatic assets (JS, CSS, images)

Public files - TLS in transit, CDN cached

HTTP Security Headers

All the following headers are active on every server response:

Strict-Transport-Securitymax-age=63072000; includeSubDomains; preload

Content-Security-Policydefault-src 'self'; frame-ancestors 'none'; ...

X-Content-Type-Optionsnosniff

X-Frame-OptionsDENY

Referrer-Policystrict-origin-when-cross-origin

Permissions-Policycamera=(self), microphone=(self), geolocation=(self)

Cross-Origin-Opener-Policysame-origin

Cross-Origin-Embedder-Policycredentialless

Cross-Origin-Resource-Policysame-origin

X-DNS-Prefetch-Controloff

X-Permitted-Cross-Domain-Policiesnone

Cryptographic Standards

AES-256-GCM

Content and field encryption

FIPS 197 / NIST SP 800-38D

RSA-OAEP 2048-bit

Key exchange

NIST SP 800-57

PBKDF2 (310K iterations)

Key derivation from OTP

NIST SP 800-132

scrypt (N=16384)

Admin password hashing

RFC 7914

SHA-256

Hashing tokens, IPs, OTPs

FIPS 180-4

HMAC-SHA256

Integrity verification (receipts)

RFC 2104

crypto.timingSafeEqual

Side-channel resistant comparison

CWE-208 prevention

crypto.getRandomValues

Token and IV generation

Web Crypto API