EchoGraph

Security

Zero-knowledge by design

EchoGraph servers store your data but cannot read it. Encryption happens in your browser, before anything leaves your device. Your vault passphrase never touches our servers — ever.

3-Tier Key Hierarchy

Your passphrase

Never stored, never transmitted

PBKDF2 derivation

310,000 iterations · SHA-256

Master Key

AES-GCM 256 · memory-only

Encrypted blobs

Stored in Supabase Storage

Your passphrase derives a Key-Encryption-Key (KEK) via PBKDF2 in your browser. The KEK unwraps your Master Key (AES-KW). The KEK is immediately discarded. The Master Key encrypts every file using AES-GCM 256 with a unique 96-bit IV per chunk. The Master Key is non-extractable and lives only in browser memory for your session.

EchoGraph can

  • Store your encrypted file blobs
  • Record file metadata (size, upload date)
  • Verify your identity via Google OAuth
  • Deliver your encrypted Master Key blob

EchoGraph cannot

  • Read your lecture audio or slides
  • Read your transcripts or keywords
  • Reset your vault passphrase
  • Recover your data if you lose your passphrase
  • Decrypt anything stored on our servers

No password reset

Because your vault passphrase never reaches our servers, we cannot reset it. At signup, you download a Recovery Kit — a backup of your Master Key encrypted with a recovery passphrase you set once. Keep it somewhere safe. Loss of both your vault passphrase and your Recovery Kit means permanent data loss. By design.

All ML runs in your browser

Whisper transcription and BERT keyword extraction run as WebAssembly in your browser. Your audio and text never leave your device on the free tier. Scholar tier offers optional server-side transcription (VibeVoice-ASR) with explicit per-session consent — you opt in each time, and audio is discarded immediately after transcription.

Row-level security

Every database table and storage bucket enforces Supabase Row-Level Security. Your data rows and storage paths are restricted to your user ID — no query can return another user's data, even if our application code has a bug.

Responsible Disclosure

Found a security issue?

We take security reports seriously. If you've found a vulnerability, please email us privately before public disclosure. We'll acknowledge your report within 48 hours and work to resolve confirmed issues quickly.

security@echograph.app