← Back to Home

Security Policy

Last updated: March 12, 2026

1. Zero-Knowledge Architecture

Cryple is built from the ground up as a zero-knowledge service. Our mathematical models guarantee that no employee, administrator, or attacker compromising our servers can read your stored secrets, credentials, or notes.

We operate strictly under the following policy:

  • Your master password never leaves your browser window.
  • All encryption/decryption happens locally on your device before transmission.
  • We only store randomly generated salts, ECDSA public keys, and cryptographically hashed payloads.

2. Cryptography Practices

We leverage industry-standard cryptographic tools:

  • Authentication: PBKDF2 with high iterations (100,000+) on the client side, then hashed via bcrypt upon reaching the server.
  • Signing: Asymmetric public/private key-pairs (ECDSA P-256) are generated client-side to sign background token challenges.
  • Data Storage: Files and credentials are encrypted on the client device using AES-256-GCM.

3. Infrastructure Protection

Our server infrastructure is protected by rigorous engineering limits against attack vectors:

  • Rate limiting is enforced heavily across all API ingress nodes to prevent bruteforcing.
  • We use atomic single-use nonce locking to prevent Replay Attacks for all sensitive background JWT refresh flows.
  • Database volumes and object storage buckets are encrypted at rest via our cloud providers.

4. Auditing & Open Source

We believe security requires transparency. Therefore, our target is an "Open Source Client" philosophy, meaning all client-side decryption logic is inspectable by security researchers before usage.

We are presently undergoing internal security reviews ahead of formal independent third-party penetration testing.

5. Vulnerability Disclosure

If you discover a security issue or vulnerability please report it immediately rather than disclosing it publicly. We are working on a Bug Bounty program, but in the meantime please contact our security team.

6. Contact Information

For urgent security disclosures, or questions regarding this policy, please reach out directly: contact@cryple.io or by mail at Cryple LLC, 30 N Gould St Ste R, Sheridan, WY 82801, USA.