Security & Trust

Last updated: 24 June 2026. We aim to describe our actual security model plainly, including its limits.

Encryption at rest

Every file is encrypted with AES-256 before it is stored. Each file uses its own key, derived from a per-file random salt combined with a server-side secret. The encrypted file and its key material are stored separately from that secret, so the stored data is not usable on its own.

Important and honest: this is server-side encryption, not end-to-end or "zero-knowledge" encryption. Because our servers hold the secret, the service can decrypt your files to stream and deliver them back to you. We access file contents only as needed to operate the service (for example streaming and downloads) or where required by law. If you need encryption that even the operator cannot read, encrypt your files yourself before uploading.

Encryption in transit

All connections use HTTPS with TLS 1.2 or higher. HSTS is enabled so browsers refuse to connect over plain HTTP.

Where your data lives

Encrypted file blobs are stored on Telegram's infrastructure; account information and file metadata are stored in our managed database. See Sub-processors for the full list and locations.

Account protection

• Passwords are hashed with bcrypt; we never store them in plain text for new accounts.
• Sign-in supports Google, GitHub, and passwordless email-link verification, plus a password you control.
• Sessions are HttpOnly cookies with a limited lifetime and a device cap; changing your password signs other devices out.
• Forms are protected against cross-site request forgery, and sign-in endpoints are rate-limited.

What is public and what is not

Files in your account are private and are not indexed. Only files you place in your Shareable Folder become reachable at a public link on the share subdomain. Do not place anything in that folder that you do not want to be public.

Operator access and abuse handling

Access to production systems is limited to the operator. We act on valid legal process and on abuse reports, including copyright notices under our DMCA policy and our Acceptable Use Policy.

Data breach process

If a personal data breach occurs that is likely to present a risk, we will notify the competent supervisory authority within 72 hours where required (Art. 33 GDPR) and inform affected users without undue delay when the risk is high (Art. 34 GDPR).

Responsible disclosure

If you discover a vulnerability, please report it to us privately through the contact details in our Impressum before any public disclosure, and give us reasonable time to fix it. We appreciate good-faith research and will not pursue researchers who follow this policy.

Your part

• Use a strong, unique password and keep your email account secure.
• Sign out on shared devices.
• Encrypt highly sensitive files yourself before upload if you need protection from the operator.