Public commitment · Updated May 2026
Security Roadmap
Concrete commitments rather than marketing. Dates are best estimates and can slip; if they do, we update this page. We list only items we intend to actually deliver.
- shippedClient-side encryption (Argon2id + X25519 + XChaCha20-Poly1305)All file content and most metadata encrypted on the user's device before upload.Target: Q1 2026
- shippedZero-knowledge public sharingEphemeral X25519 share key, decryption key lives only in URL fragment.Target: Q1 2026
- shippedPasskeys (WebAuthn) and TOTP MFAHardware-backed second factor and standard TOTP for accounts that prefer it.Target: Q1 2026
- shippedAppend-only audit log with database-level immutabilityAll security events recorded; UPDATE/DELETE blocked by trigger.Target: Q1 2026
- shippedRecovery key + secondary channels (email / SMS)Three-way master-key wrapping. We recommend enabling at least two factors.Target: Q1 2026
- shipped30-day trash + 30-day account deletion grace periodHard delete only after cooling-off and after audit trail confirmation.Target: Q1 2026
- shippedGeographic anomaly detection on new sessionsNew session from a previously unseen country logs a warning-severity event.Target: Q2 2026
- shippedCiphertext SHA-256 integrity hashVerify-before-decrypt at download time; integrity alerts on mismatch.Target: Q2 2026
- shippedEd25519 manifest signaturesPublic share and protected message manifests signed and verified client-side.Target: Q2 2026
- shippedStrict Content Security Policy with violation reportingscript-src 'self', no inline scripts in the runtime, dedicated /api/public/csp-report sink.Target: Q2 2026
- in progressExternal cryptography reviewCoordinated engagement with an independent reviewer focused on key wrapping and recovery.Target: Q3 2026
- in progressStep-up authentication for sensitive actionsDisable 2FA, GDPR export, account deletion, and recovery management gated by fresh proof of possession.Target: Q3 2026
- in progressRecovery health check + emergency kit PDFPeriodic prompt when fewer than two recovery factors are configured, plus a printable recovery package.Target: Q3 2026
- plannedHardware key attestation for device trustBind devices to FIDO2 attestation, surface device trust level in the dashboard.Target: Q4 2026
- plannedFull external penetration testIndependent firm; scope covers backend RPCs, RLS, and crypto integration.Target: Q4 2026
- plannedReproducible builds with public attestationsPublish build hashes signed by our release process.Target: Q4 2026
- plannedConfigurable audit-log retention windowsUser-facing setting to expire non-security audit events on a chosen schedule.Target: Q1 2027