Frequently asked

Security FAQ

Direct, technical answers. If you want the reasoning behind any of these, the linked Trust Center pages go deeper.

What does zero-knowledge mean at DRIVUNO?+

Your files and most metadata are encrypted on your device before upload. DRIVUNO servers store opaque ciphertext and sealed key envelopes. We have no technical capability to read your content.

Where are my keys stored?+

On your device only. Your password derives your master key locally via Argon2id. We never transmit, store, or escrow your password or master key.

If DRIVUNO is hacked, what's exposed?+

Ciphertext, sealed envelopes, and operational metadata (account email, sizes, timestamps). Plaintext content cannot be recovered from a server-side breach because it is never on the server.

Can DRIVUNO be compelled to hand over my files?+

We can produce only what we hold: ciphertext, sealed envelopes, and metadata. A lawful request that asks for plaintext content cannot be technically fulfilled.

What happens if I forget my password?+

If you have a Recovery Key, secondary email, or SMS factor configured, you can recover. If all factors are lost, the vault is permanently unrecoverable — by architectural design.

Can DRIVUNO reset my password?+

Into a new vault, yes. Into your existing vault, no — that would require key escrow, which we deliberately do not implement.

Is the encryption end-to-end?+

Yes for sharing flows (sender device to recipient device, no readable intermediate). And the storage layer is zero-knowledge, which is the stronger property for stored data.

What cryptographic primitives are used?+

Argon2id for password-based key derivation, XChaCha20-Poly1305 for content encryption, X25519 for key agreement, Ed25519 for signing manifests, SHA-256 for ciphertext integrity, and HMAC-SHA-256 for blind-index search.

Are public share links zero-knowledge?+

Yes. The share decryption key lives only in the URL fragment (after the #), which browsers never send to servers. Optional layers (password, expiration, one-time view, watermark) are enforced on top.

Do you use my files to train AI models?+

No. We cannot — your files are encrypted client-side. Even if we wanted to, we would have nothing readable to feed a model.

Do you scan files for content moderation?+

No. Scanning would require plaintext, which we do not have. Abuse handling for shares is metadata- and report-driven.

Where is data hosted?+

EU primary, with failover capacity. See the infrastructure page for details and the sovereignty page for the regional roadmap.

Have you been audited?+

External cryptography review is in progress; a full penetration test follows on the roadmap. We publish dated commitments — see /security/roadmap.

How do I report a vulnerability?+

Email security@drivuno.com or follow the coordinated disclosure policy at /security/disclosure. Safe-harbor terms included.

How long do you retain metadata?+

See the metadata policy for field-by-field retention. Operational logs 90 days, audit logs for the account lifetime, share view IP hashes 24 hours.

Don't see your question? Email security@drivuno.com.

Encrypted on your device · upload in 1 click
Upload