What is zero-knowledge encryption?

Zero-knowledge encryption means your data is encrypted on your device before it ever reaches our servers. CoffreZero never sees your passwords, encryption keys, or plaintext data. Only you can decrypt your files.

What encryption algorithms does CoffreZero use?

CoffreZero uses AES-256-GCM and XChaCha20-Poly1305 for document encryption, with Argon2id for key derivation from your master password. All encryption happens client-side in your browser via libsodium.

Can CoffreZero employees read my documents?

No. CoffreZero uses a zero-knowledge architecture where all encryption and decryption happens in your browser. Our servers only ever store encrypted ciphertext. Even if our servers were compromised, your data remains unreadable.

Is CoffreZero compliant with HIPAA and GDPR?

CoffreZero is SOC 2 Type II certified. Our zero-knowledge architecture inherently supports GDPR compliance since we cannot access personal data. For HIPAA, our Enterprise plan includes a BAA and dedicated compliance support.

What is burn-after-reading?

Burn-after-reading lets you share encrypted secrets (passwords, API keys, sensitive text) that are permanently and irreversibly deleted after being viewed once. No account required.

SOC 2 Type II Certified

Your Documents.Your Keys.Zero Knowledge.

End-to-end encrypted document vault where even we cannot read your data. Upload, share, and manage sensitive files with zero-knowledge architecture.

Start Protecting Your Data

AES-256-GCM Active

Zero-Knowledge

SOC 2 Type II

Certified Infrastructure

AES-256-GCM

Military-Grade Encryption

Argon2id KDF

Zero-Knowledge Key Derivation

GDPR Article 17

Cryptographic Erasure Protocol

Defense in Depth — 4 Layers of Protection

Trusted by security teams worldwide

Sentinel Corp

Aegis Health

Nexus Financial

TrustGrid

CipherWorks

QuantumSafe

VaultEdge

DataFort

Sentinel Corp

Aegis Health

Nexus Financial

TrustGrid

CipherWorks

QuantumSafe

VaultEdge

DataFort

ZeroTrace

IronVault

CryptoLayer

SafeHarbor

NullByte Security

AuditPrime

SecureNode

ComplianceHQ

ZeroTrace

IronVault

CryptoLayer

SafeHarbor

NullByte Security

AuditPrime

SecureNode

ComplianceHQ

How It Works

Zero-knowledge in three steps

Your documents are encrypted before they ever leave your device. We engineer trust through mathematics, not promises.

Encryption

Client-Side Lock

Files are encrypted in your browser using AES-256-GCM before upload. Your master key is derived locally via Argon2id and never transmitted.

Access

Granular Control

Share documents with time-limited, revocable links. Set view limits, expiration, and permissions. Revoke access at any time.

Integration

Developer First

Integrate zero-knowledge encryption into your application with our TypeScript SDK. Full API documentation and webhook support.

The Platform

Built for every workflow

From encrypted uploads to secure sharing — designed for the way modern teams handle sensitive documents.

Architecture

Trust No One. Not even us.

CoffreZero is designed so that we mathematically cannot access your data. Our servers only ever see encrypted blobs.

Your Device

Password + Argon2id

AES-256-GCM Encryption

Key Derivation

Plaintext here

ENCRYPTEDTRANSIT

CoffreZero Servers

0x8A3F...E7B2

0xC1D9...4F6A

0x7E2B...91CD

Encrypted blobs only

Developer Experience

Built for Developers

Integrate zero-knowledge document encryption with our TypeScript SDK. Encrypt on the client, store on the server, share with anyone.

upload.tsTypeScript

import { CoffreZero } from '@coffrezero/sdk';

const vault = new CoffreZero({
  apiKey: process.env.CZ_API_KEY,
  region: 'us-east-1',
});

// Encrypt & upload — keys never leave client
const doc = await vault.documents.upload({
  file: userFile,
  metadata: {
    label: 'KYC Verification',
    tags: ['identity', 'sensitive'],
  },
});

// Generate time-limited share link
const link = await vault.shares.create({
  documentId: doc.id,
  expiresIn: '24h',
  maxViews: 3,
  permissions: ['view'],
});

console.log(link.url);

response.json200 OK

{
  "id": "doc_8xKp2mNq7Yz",
  "status": "encrypted",
  "encryption": {
    "algorithm": "AES-256-GCM",
    "kdf": "Argon2id",
    "keyWrapping": "XSalsa20-Poly1305"
  },
  "share": {
    "token": "sh_Tn4vXqWr9Bk",
    "url": "https://coffrezero.io/s/sh_Tn4vXqWr9Bk",
    "expiresAt": "2025-01-16T12:00:00Z",
    "maxViews": 3,
    "viewCount": 0,
    "permissions": ["view"]
  },
  "createdAt": "2025-01-15T12:00:00Z",
  "size": 2457600
}

Use Cases

Secure by Design

Purpose-built for industries where document security is not optional.

Identity

KYC & Identity

Securely collect and verify identity documents with zero-knowledge proofs.

Learn more

Legal

Legal Compliance

Protect privileged documents with tamper-evident audit trails.

Learn more

HIPAA

Healthcare

HIPAA-ready encrypted document storage for medical records and patient data.

Learn more

Finance

Financial Services

Bank-grade encryption for financial statements, tax documents, and transaction records.

Learn more

Secrets

Burn After Reading

Share secrets that self-destruct after one view. No account required.

Learn more

256-bit

AES-GCM Encryption

Plaintext on Servers

99.99%

Uptime SLA

<100ms

API Latency (p95)

Philosophy & Features

Built on principles, not promises

Your privacy, our priority.

Zero-Knowledge

Secure Share Tiers

Three tiers of sharing — from link-based access to full zero-knowledge key exchange. Tier 2 seals the document key with the recipient's public key. We never see the plaintext. Ever.

Learn About Sharing

Sender

encrypts DEK

Public-Key Sealed

DEK → NaCl SecretBox

Sealed w/ recipient pubkey

Recipient

unseals with private key

Forensic

Invisible Watermarks &
Immutable Audit Trail

Every shared document carries an invisible forensic watermark tied to the recipient's identity. Combined with a tamper-proof audit log that records every access, share, and modification.

View Audit Log

Document encrypted

12:04:31 UTC

Watermark embedded

12:04:32 UTC

Tier 2 key exchange

14:22:15 UTC

Recipient accessed

15:08:44 UTC

Audit entry sealed

15:08:44 UTC

Tamper-proof

GDPR Art. 17

Data Sovereignty &
Erasure Protocol

GDPR Article 17 compliance through cryptographic erasure. When you delete, we don't just remove the pointer — we destroy the encryption keys, making recovery mathematically impossible.

Explore Erasure Protocol

Keys Destroyed — Irrecoverable

Self-Destruct

Burn After Reading

Share secrets that self-destruct after a single view. Set TTL timers, optional passwords, and view-once locks. Once read, the ciphertext and keys are permanently erased from all systems.

Create Burn Secret

1 VIEW

View-onceTTL timerPassword

Auto-erased after access

Developer

Developer API &
Webhook Engine

Full REST API with scoped API keys, HMAC-SHA256 signed webhooks, and automatic retry with exponential backoff. Build encrypted document workflows into any system.

API Documentation

api.coffrezero.com

POST /v1/documents/encrypt

{

"status": "encrypted"

"hmac": "sha256:a3f8..."

}

HMAC-SHA256Retry backoffScoped keys

Ready to take control of your documents?

Start encrypting your sensitive documents today. Free tier available with no credit card required.

Get Started Free View Pricing

Your Documents.Your Keys.Zero Knowledge.

Zero-knowledge in three steps

Client-Side Lock

Granular Control

Developer First

Built for every workflow

Trust No One. Not even us.

Your Device

CoffreZero Servers

Built for Developers

Secure by Design

KYC & Identity

Legal Compliance

Healthcare

Financial Services

Burn After Reading

Built on principles, not promises

Secure Share Tiers

Invisible Watermarks &Immutable Audit Trail

Data Sovereignty &Erasure Protocol

Burn After Reading

Developer API &Webhook Engine

Ready to take control of your documents?

Invisible Watermarks &
Immutable Audit Trail

Data Sovereignty &
Erasure Protocol

Developer API &
Webhook Engine