Trust at DRIVUNO

Trust Center

DRIVUNO is engineered so the people who run it cannot read what you store on it. This page is the canonical entry point to our architecture, policies, and transparency commitments.

Client-side encryption

Argon2id derives your master key from your password locally. Every file is sealed with XChaCha20-Poly1305 before it ever leaves your device.

Zero-knowledge architecture

Our servers store ciphertext, sealed envelopes, and minimal metadata. No password, no master key, no plaintext is ever transmitted.

User-controlled keys

Keys are derived and stored on your device. Recovery factors wrap (not escrow) your master key, so only you can ever unwrap it.

Defense in depth

Strict CSP with violation reporting, Postgres Row-Level Security, append-only audit log, ciphertext integrity hashing, signed manifests.

Provider-agnostic by design

Storage providers see encrypted blobs only. Failover playbooks let us switch providers without exposing user content.

Transparency by default

Public security changelog, signed advisories, vulnerability disclosure policy, and a roadmap with dates we hold ourselves to.

Browse the Trust Center

Every commitment we make is documented in plain English. Pick a topic — we wrote each page for someone who wants to verify, not just be reassured.

Security Philosophy
Security Architecture
Encryption Explained
Threat Model
Whitepaper
Metadata Policy
Infrastructure & Providers
Subprocessors
GDPR & Compliance
Vulnerability Disclosure
Incident Response
Security Changelog
Security Roadmap
Uptime & Status
Glossary
FAQ

Frequently asked

What does zero-knowledge mean at DRIVUNO?+

Your files and most metadata are encrypted on your device before upload. DRIVUNO servers store only opaque ciphertext and sealed key envelopes. We have no technical capability to read your content.

Can DRIVUNO recover my password?+

No. We do not store, derive, or escrow your password. Account recovery is only possible through factors you set up yourself: a Recovery Key, a secondary email, or SMS — wrapped against your master key on the client.

What happens if DRIVUNO is hacked or compelled to hand over data?+

We can only produce what we hold: encrypted blobs, sealed envelopes, and minimal operational metadata. Plaintext content is never on our servers and cannot be retrieved by us, an attacker, or any third party.

Is DRIVUNO end-to-end encrypted, or zero-knowledge?+

Both. End-to-end describes the transport (encrypted in your browser, decrypted in the recipient's browser). Zero-knowledge describes the architecture (the server has no keys, ever). See our Encryption Explained page.

Report a vulnerability: security@drivuno.com · security.txt

Encrypted on your device · upload in 1 click
Upload