Security
How MailZyro keeps your data yours.
The same idea runs through the whole suite: your data is encrypted on your device, and the key that unlocks it stays with you. Here is how it works — and exactly where it is live today.
How privacy works
Encrypted on your device, not on our promise.
Across MailZyro, content is encrypted in your browser before it is sent. Our servers hold ciphertext and the wrapped keys — never the keys that open them.
Your key
You get an OpenPGP key pair. The private key is decrypted only inside an isolated Web Worker on your device.
Per-item key
Each document, spreadsheet, file or event gets its own AES-256-GCM content key.
Wrapped for each person
That content key is wrapped with each collaborator’s OpenPGP key, so only the right people can open it.
Blind storage
Servers store and sync the encrypted bytes. Without your key, they are unreadable.
Single sign-on derives your key access with HMAC-SHA256, so there is no separate password to manage. Lose your recovery phrase and your password, and encrypted data genuinely cannot be recovered — that is the point.
Where it is live
End-to-end encryption, app by app.
We will not claim encryption an app does not have yet. Six apps encrypt your content end to end today. Docs and Forms do not yet — and we say so.
Messages and attachments encrypted on your device with OpenPGP.
Sheets
LivePer-spreadsheet AES-256 key, wrapped with each collaborator’s OpenPGP key.
Slides
BetaPer-presentation key wrapped per user. Encryption is live; the app is Beta.
Calendar
LiveEvent titles, locations, notes and attendees encrypted at rest.
Drive
LiveFiles and file names encrypted on your device before upload.
Contacts
Early accessContact details encrypted with AES-256-GCM. Encryption is live; the app is early access.
Docs
Coming soonReal-time editing is live; end-to-end encryption is being wired in and not shipped yet.
Forms
Coming soonThe builder is live; encrypted responses are the headline roadmap item.
The whole picture
Shipped across the suite, and what is next.
Shipped today
Device-side encryption
Content is encrypted in your browser before it reaches our servers.
Per-item keys, wrapped per person
Each item has its own key, wrapped with each collaborator’s OpenPGP key.
Web Worker key isolation
Private keys are decrypted inside an isolated Web Worker, away from page scripts.
Recovery phrase
A 12-word BIP-39 phrase can regenerate your keys if you forget your password.
Single sign-on
One identity unlocks the suite via accounts.maluki.io, with key access derived using HMAC-SHA256.
Blind real-time sync
Collaborative apps relay encrypted updates without the server reading them.
On the roadmap
End-to-end encryption for Docs
Coming soonThe infrastructure exists and is being wired into how documents are saved.
Encrypted responses for Forms
Coming soonEncrypting form responses end to end is the headline Forms roadmap item.
Organisation recovery with two-party consent
PlannedA business recovery key that only works with the user’s approval, designed so the org cannot read data unilaterally.
We label what is not yet shipped instead of implying it is. If a page does not show a roadmap badge for a claim, the claim is backed by code today.
By the numbers
The building blocks.
AES-256
Content encryption
OpenPGP
Key wrapping
Web Worker
Key isolation
12 words
Recovery phrase
6 / 8
Apps E2E today
0
Plaintext keys on servers
What you can count on
Promises we can actually keep.
We hold ciphertext
For end-to-end encrypted apps, our servers store unreadable data.
Keys stay with you
Private keys are decrypted only on your device, inside a Web Worker.
No ad-targeting scans
We do not read your content to profile you or sell signals.
Honest labels
Anything not yet encrypted is marked, not hidden.
Recovery you control
Your recovery phrase, not our database, is what brings access back.
Open building blocks
Standard, audited primitives — OpenPGP and AES-256-GCM — not home-made crypto.
FAQ
Questions about security
Your content is encrypted on your device with a key only you (and the people you share with) hold. Our servers store the encrypted bytes and the wrapped keys, but never the key that opens them — so we cannot read your content.
Not yet. Mail, Sheets, Slides, Calendar, Drive and Contacts encrypt your content end to end today. Docs and Forms do not yet — their encryption is on the roadmap and we label it clearly rather than pretend.
A 12-word recovery phrase, shown once at sign-up, can regenerate your keys. If you lose both the phrase and your password, encrypted data cannot be recovered, because we genuinely do not hold the keys.
Yes. We rely on OpenPGP for key wrapping and AES-256-GCM for content, with HKDF-SHA256 and Argon2id where appropriate. We do not roll our own crypto.
No app gives an organisation unilateral access to your content. A business recovery key with two-party consent — where recovery needs your approval — is a designed, planned feature, not something running silently today.
One identity through accounts.maluki.io unlocks the suite, and your key access is derived using HMAC-SHA256 so there is no separate password to manage. The keys themselves are still only usable on your device.
Privacy you can verify, not just trust.
Create a free account and see the model in practice across Mail, Sheets, Drive and more.