Complete Transparency

Privacy by design requires transparency by design. Here's exactly how EchoVaults protects your data and why we'll never compromise on your privacy.

We believe trust shouldn't require blind faith. Every technical decision, security measure, and privacy practice is documented here for your review and independent verification.

Architecture

Offline-First by Design

Every design decision prioritizes local control over convenience. Your data stays where it belongs — with you.

What We Do

  • Encrypt all data locally with AES-256-GCM
  • Store everything on your device only
  • Derive encryption keys from your master password using PBKDF2
  • Generate unique cryptographic salts for each entry
  • Allow you to export/import encrypted backups manually
  • Integrate with OS secure keychains (iOS Keychain, Android Keystore)
  • Open source our encryption implementation for audit

What We Never Do

  • Upload your data to any cloud service
  • Send data to our servers (We actually don't have one)
  • Require accounts, logins, or personal information
  • Collect analytics, crash reports, or usage statistics
  • Use cookies, tracking pixels, or fingerprinting
  • Send marketing emails or notifications
  • Scan, index, or analyze your content
  • Use ads for monetizations so third party can track you

Technical Implementation

Cryptographic Specifications

Detailed technical information about our encryption and security measures.

🔐

Encryption Details

Algorithm: AES-256-GCM (Galois/Counter Mode)

Key Derivation: PBKDF2-SHA256 with 100,000+ iterations

Salt Generation: Cryptographically secure random 32-byte salts

IV/Nonce: Unique 12-byte nonces for each encryption operation

Authentication: Built-in authenticated encryption prevents tampering

Key Storage: Derived keys never stored persistently

📱

Platform Integration

iOS: iOS Keychain for secure password storage

Android: Android Keystore with hardware security module support

Biometrics: Optional biometric unlock using platform APIs

Sandbox: App sandbox prevents other apps from accessing data

Permissions: Minimal permissions requested

Updates: App updates cannot access existing encrypted data

🛡️

Security Measures

Password Policy: Enforced minimum complexity requirements

Brute Force Protection: Exponential backoff for failed attempts

Memory Protection: Sensitive data cleared from memory after use

Screen Recording: Blocked during sensitive operations

Debug Prevention: Anti-debugging measures in production

Code Obfuscation: Critical code paths obfuscated

🔍

Audit & Verification

Open Source: Encryption modules publicly available on GitHub

Reproducible Builds: Build process documented and reproducible

Third-Party Audits: Regular security audits by independent firms

Bug Bounty: Rewards for security researchers

Transparency Reports: Regular updates on security practices

Code Signing: All releases cryptographically signed

How Your Data Flows (And Doesn't)

Visual representation of EchoVaults' complete offline architecture.

📝

1. Create Content

You write messages, upload photos, or documents in the app

🔐

2. Encrypt Locally

Content is immediately encrypted with AES-256 using your master password

📱

3. Store on Device

Encrypted data is stored only in your device's secure storage, nowhere else.

☁️

❌ No Cloud

Data never leaves your device automatically

📡

❌ No Servers

We have no servers to receive or store your data

👤

❌ No Accounts

No user accounts or profiles to link data to you

Backup & Transfer

You can manually export encrypted backups and transfer them to other devices. The backup process uses the same AES-256 encryption, and only someone with your master password can decrypt and import the data on another device.

Open Source Cryptography

Trust shouldn't require blind faith. Our entire encryption implementation is open source and available for security researchers to audit.

What's Open Source

  • Encryption and decryption algorithms
  • Key derivation functions
  • Salt and nonce generation
  • Secure storage implementations

What Stays Private

  • UI and user experience code
  • App store distribution
  • Branding and design assets
  • Business logic and features
View on GitHub Security Transparency PDF

Found a security issue? Email trust@echovaults.org for our responsible disclosure process.

Our "No Tracking" Promise

Most apps claim privacy while collecting extensive data. Here's exactly what we don't collect.

We Don't Collect:

  • Device identifiers (UDID, IMEI, etc.)
  • Advertising IDs
  • Location data
  • Contacts or address book
  • Usage analytics
  • Crash reports
  • Performance metrics
  • Feature usage statistics
  • Time spent in app
  • Button clicks or interactions

We Only Know:

  • You downloaded the app (app store metrics)
  • Basic app store ratings/reviews (public)
  • Support emails you choose to send
  • That's it. We literally know nothing else about how you use EchoVaults.

Verification: You can monitor all network traffic from EchoVaults using tools like Charles Proxy or Wireshark. You'll find zero network requests.

Commitment to Ongoing Transparency

We know privacy is not a one-time decision. It requires ongoing commitment and regular updates.

Quarterly Transparency Reports

Every three months, we publish detailed reports about our practices, any security incidents (there haven't been any), and updates to our policies.

Annual Security Audits

Independent security firms audit our encryption implementation annually. Full reports are published publicly after any findings are addressed.

Bug Bounty Program

We reward security researchers who find vulnerabilities. Our responsible disclosure process ensures issues are fixed before public disclosure.

Our Promise

We pledge to maintain this level of transparency as EchoVaults grows. If we ever consider changes that might affect user privacy, we'll announce them publicly and explain our reasoning in detail.