Security

How MailZyro keeps your data yours.

The same idea runs through the whole suite: your data is encrypted on your device, and the key that unlocks it stays with you. Here is how it works — and exactly where it is live today.

OpenPGPAES-256-GCMWeb Worker key isolationRecovery phrase

How privacy works

Encrypted on your device, not on our promise.

Across MailZyro, content is encrypted in your browser before it is sent. Our servers hold ciphertext and the wrapped keys — never the keys that open them.

01

Your key

You get an OpenPGP key pair. The private key is decrypted only inside an isolated Web Worker on your device.

02

Per-item key

Each document, spreadsheet, file or event gets its own AES-256-GCM content key.

03

Wrapped for each person

That content key is wrapped with each collaborator’s OpenPGP key, so only the right people can open it.

04

Blind storage

Servers store and sync the encrypted bytes. Without your key, they are unreadable.

Built onOpenPGPAES-256-GCMHKDF-SHA256Argon2id

Single sign-on derives your key access with HMAC-SHA256, so there is no separate password to manage. Lose your recovery phrase and your password, and encrypted data genuinely cannot be recovered — that is the point.

Where it is live

End-to-end encryption, app by app.

We will not claim encryption an app does not have yet. Six apps encrypt your content end to end today. Docs and Forms do not yet — and we say so.

Mail

Live

Messages and attachments encrypted on your device with OpenPGP.

Sheets

Live

Per-spreadsheet AES-256 key, wrapped with each collaborator’s OpenPGP key.

Slides

Beta

Per-presentation key wrapped per user. Encryption is live; the app is Beta.

Calendar

Live

Event titles, locations, notes and attendees encrypted at rest.

Drive

Live

Files and file names encrypted on your device before upload.

Contacts

Early access

Contact details encrypted with AES-256-GCM. Encryption is live; the app is early access.

Docs

Coming soon

Real-time editing is live; end-to-end encryption is being wired in and not shipped yet.

Forms

Coming soon

The builder is live; encrypted responses are the headline roadmap item.

The whole picture

Shipped across the suite, and what is next.

Shipped today

  • Device-side encryption

    Content is encrypted in your browser before it reaches our servers.

  • Per-item keys, wrapped per person

    Each item has its own key, wrapped with each collaborator’s OpenPGP key.

  • Web Worker key isolation

    Private keys are decrypted inside an isolated Web Worker, away from page scripts.

  • Recovery phrase

    A 12-word BIP-39 phrase can regenerate your keys if you forget your password.

  • Single sign-on

    One identity unlocks the suite via accounts.maluki.io, with key access derived using HMAC-SHA256.

  • Blind real-time sync

    Collaborative apps relay encrypted updates without the server reading them.

On the roadmap

  • End-to-end encryption for Docs

    Coming soon

    The infrastructure exists and is being wired into how documents are saved.

  • Encrypted responses for Forms

    Coming soon

    Encrypting form responses end to end is the headline Forms roadmap item.

  • Organisation recovery with two-party consent

    Planned

    A business recovery key that only works with the user’s approval, designed so the org cannot read data unilaterally.

We label what is not yet shipped instead of implying it is. If a page does not show a roadmap badge for a claim, the claim is backed by code today.

By the numbers

The building blocks.

AES-256

Content encryption

OpenPGP

Key wrapping

Web Worker

Key isolation

12 words

Recovery phrase

6 / 8

Apps E2E today

0

Plaintext keys on servers

What you can count on

Promises we can actually keep.

We hold ciphertext

For end-to-end encrypted apps, our servers store unreadable data.

Keys stay with you

Private keys are decrypted only on your device, inside a Web Worker.

No ad-targeting scans

We do not read your content to profile you or sell signals.

Honest labels

Anything not yet encrypted is marked, not hidden.

Recovery you control

Your recovery phrase, not our database, is what brings access back.

Open building blocks

Standard, audited primitives — OpenPGP and AES-256-GCM — not home-made crypto.

FAQ

Questions about security

  • Your content is encrypted on your device with a key only you (and the people you share with) hold. Our servers store the encrypted bytes and the wrapped keys, but never the key that opens them — so we cannot read your content.

  • Not yet. Mail, Sheets, Slides, Calendar, Drive and Contacts encrypt your content end to end today. Docs and Forms do not yet — their encryption is on the roadmap and we label it clearly rather than pretend.

  • A 12-word recovery phrase, shown once at sign-up, can regenerate your keys. If you lose both the phrase and your password, encrypted data cannot be recovered, because we genuinely do not hold the keys.

  • Yes. We rely on OpenPGP for key wrapping and AES-256-GCM for content, with HKDF-SHA256 and Argon2id where appropriate. We do not roll our own crypto.

  • No app gives an organisation unilateral access to your content. A business recovery key with two-party consent — where recovery needs your approval — is a designed, planned feature, not something running silently today.

  • One identity through accounts.maluki.io unlocks the suite, and your key access is derived using HMAC-SHA256 so there is no separate password to manage. The keys themselves are still only usable on your device.

Privacy you can verify, not just trust.

Create a free account and see the model in practice across Mail, Sheets, Drive and more.