How we protect your data with end-to-end encryption and zero-knowledge architecture.
"Can't be evil" vs "Won't be evil"
We designed Onelist so that we cannot access your data, even if we wanted to. Even under legal compulsion, we have nothing to give because we cannot decrypt your data.
| Algorithm | AES-256-GCM |
| Key Length | 256 bits |
| Mode | Galois/Counter |
| Function | Argon2id |
| Memory | 64 MB |
| Iterations | 3 |
| Protocol | TLS 1.3 |
| Certificate | Let's Encrypt |
| HSTS | Enabled |
| Storage | Encrypted blobs |
| Provider | Cloudflare R2 |
| Redundancy | Optional B2 |
| Data | Visible to Onelist? |
|---|---|
| Email address | Yes (for account) |
| Account metadata | Yes (billing, usage) |
| Entry content | No - Encrypted |
| Entry titles | No - Encrypted |
| Search queries | No - Local only |
| File contents | No - Encrypted |
| Tags | No - Encrypted |
Your passphrase derives your encryption key using Argon2id. We recommend a randomly generated 5-word passphrase for maximum security.
During setup, you receive a recovery key. Store this safely (photo, print, secure note). It can restore access if you forget your passphrase.
If you lose both your passphrase and recovery key, your data cannot be recovered. This is by design. We have no master key.
All Onelist code is open source. You can audit our encryption implementation yourself. We believe transparency builds trust.