Built on client-side encryption, zero-knowledge storage, and strict security best practices.
Before anything leaves your browser, your note is encrypted using AES-GCM (256-bit). The encryption key and initialization vector (IV) are generated locally and never transmitted to our servers.
We store only the encrypted ciphertext—you retain sole access to the decryption key. Even in the unlikely event of a data breach, your plaintext remains inaccessible.
Read-Once: Automatically deletes after the first successful decryption.
Timed: Choose 1 hour, 1 day, or 1 week expiry.
All notes are purged from our database one week after they expire to maintain hygiene.
Content Security Policy (CSP): Limits sources to trusted assets, enforced with Subresource Integrity (SRI).
Strict-Transport-Security (HSTS): Ensures all communication uses HTTPS.
Referrer Policy: Disallows sharing of sensitive referrer data.
AWS VPC: Database hosted in a private subnet with no public exposure.
AWS Secrets Manager: Credentials accessed at runtime using least-privilege IAM roles.
Rate Limiting: Throttles create/fetch requests using Flask-Limiter to prevent abuse.
We share essential security guarantees—like encryption methods and expiry policies—while withholding sensitive implementation details.
No ads, tracking scripts, or third-party analytics. We never store your decryption keys or plaintext on our servers. Minimal, anonymized logging solely for uptime and error tracking.