Back to Home

Security Whitepaper

A technical overview of TextNotepad's security architecture and privacy guarantees.

End-to-End Encryption

AES-256-GCM encryption

Client-side key generation

No plaintext server storage

Perfect forward secrecy

Key Management

PBKDF2 key derivation

Salt-based protection

Keys never leave device

Secure key rotation

Zero Knowledge

No server-side decryption

Encrypted metadata

Anonymous file headers

No content analysis

Infrastructure

EU data centers

TLS 1.3 in transit

Encrypted at rest

Redundant backups

Auditing

Third-party security audits

Open-source client

Penetration testing

Bug bounty program

Compliance

GDPR compliant

ISO 27001 aligned

SOC 2 Type II

Regular compliance audits

Technical Architecture

Encryption Flow

  1. User creates or edits a note in the browser
  2. Content is encrypted using AES-256-GCM with a randomly generated key
  3. The encryption key is derived from user password using PBKDF2 with 100,000 iterations
  4. Only encrypted data is transmitted to our servers
  5. Servers store encrypted blobs without any decryption capability

Key Derivation

User passwords are never stored or transmitted. Instead, we use a key derivation function (PBKDF2) with a unique salt to generate encryption keys locally. This ensures that even identical passwords result in different encryption keys.

Data at Rest

All data on our servers is encrypted at rest using AES-256. Even if someone gained physical access to our servers, your notes would remain protected by multiple layers of encryption.

Transport Security

All communication uses TLS 1.3 with perfect forward secrecy. We also implement certificate pinning and strict transport security headers.

Metadata Protection

Even metadata like file names, folder structures, and timestamps are encrypted. We only store anonymous file identifiers and encrypted payloads.

Threat Model

What We Protect Against

  • Server Compromise: Even if our servers are breached, your notes remain encrypted
  • Employee Access: Our staff cannot read your notes, even if they wanted to
  • Government Requests: We can only provide encrypted data that we cannot decrypt
  • Network Interception: All traffic is encrypted in transit
  • Data Center Breach: Physical access to servers reveals only encrypted data

What You Need to Protect

  • Your Password: This is the only way to decrypt your notes
  • Your Device: Keep your devices secure and up-to-date
  • Phishing Attacks: Always verify you're on the correct domain

Open Source

Our client-side code is open source and available for audit. This allows security researchers to verify our encryption implementation and ensures transparency in our security claims.

View Client Source Code →

Security Contact

If you discover a security vulnerability, please email us at info@textnotepad.com. We offer rewards for valid security reports through our bug bounty program.