SociiSign in

We can't read your stuff.

End-to-end encryption means your content is encrypted before it leaves your device. We store ciphertext. Without your key, it's mathematical noise.

The short version

What we can see

  • • Your email address
  • • Who you're connected to
  • • When you last posted (timestamps)
  • • Storage usage

What we can't see

  • • Your posts, messages, questions
  • • Your notes about friends
  • • Your dreams and goals
  • • Photos you share

Encryption in detail

All user content — posts, messages, vault notes, dreams, questions, and media — is encrypted using XChaCha20-Poly1305, a modern authenticated encryption algorithm. This happens in your browser before any data is transmitted.

Key exchange uses X25519 (Curve25519) for perfect forward secrecy. Each conversation gets unique keys, so even if one key were somehow compromised, it wouldn't unlock other conversations.

Your master key is derived from your password using Argon2id, a memory-hard algorithm designed to resist brute-force attacks. We don't store your password — only a hash that lets us verify you're you without knowing what you typed.

Zero-knowledge architecture

Our servers store encrypted blobs. They don't know — and can't determine — what's inside them. Decryption only happens on your device, using keys we never see.

This means:

  • A database breach would yield only encrypted data
  • A rogue employee couldn't read your content
  • A government subpoena would get ciphertext, not content
  • We can't be compelled to show what we don't have

What metadata we have

We're honest about what we can see. To make the app work, we need some metadata:

  • Account info: Email, display name, avatar (if uploaded)
  • Social graph: Who you're connected to (needed to route messages)
  • Timestamps: When posts were created (needed for sorting)
  • Size data: How many posts, storage used (needed for limits)

We can see that you sent a message to Alex on Tuesday. We can't see what it said.

Infrastructure

We self-host on dedicated servers in Europe (Germany), subject to GDPR. No cloud functions reading your data. No third-party analytics. No tracking pixels.

All connections use TLS 1.3. Database connections are encrypted at rest and in transit. Backups are encrypted with keys we control, containing only your already-encrypted data.

Ongoing security

Security isn't a feature you ship once. It's a practice.

  • Code review: All changes reviewed before deployment
  • Dependency scanning: Automated alerts for vulnerable packages
  • Audit logging: Track administrative access
  • Incident response: Documented procedures, notification commitment

When we've completed our first third-party security audit, we'll publish the results here.

The trade-off

End-to-end encryption has a cost: if you lose your password and recovery key, your data is gone. We can't recover it because we can't decrypt it.

This is the price of real privacy. We think it's worth it.

Questions about our security? We're happy to explain further.

Request accessRead privacy policy