Security

NoteSync's security model is based on three principles: client-side encryption, minimal metadata, and infrastructure hardening.

Encryption

• Notes are encrypted with AES-256-GCM before leaving your device
• Keys derived via Argon2id from your master password (memory: 64 MiB, iterations: 3, parallelism: 4)
• Each note has a unique random nonce; key rotation supported
• Transport: TLS 1.3, HTTP/2; certificate pinning in mobile apps

Infrastructure

• Servers in EU only (Frankfurt, Helsinki)
• Encrypted-at-rest storage (LUKS dm-crypt)
• Network isolation via WireGuard mesh between services
• Public services behind Cloudflare with rate limiting
• Daily encrypted backups, retained 30 days

Operational security

• All employees use FIDO2 hardware keys for production access
• Production access requires SSO + 2FA; sessions logged for audit
• Quarterly third-party penetration testing
• Bug bounty: see /security.txt

Reporting vulnerabilities

Email security@notesync-stub.invalid (PGP key in /.well-known/security.txt). We commit to initial response within 48h.

Compliance

SOC 2 Type II (annual audit), GDPR-compliant data processing. ISO 27001 certification in progress (target Q3 2026).