πŸ—οΈ

Security and encryption

Go to reflect.app β†’

Security and encryption

The contents of your notes are end-to-end encrypted. This means that nobody else can see your notes.

How does encryption work?

We encrypt all your notes on the client with a cypher called XChaCha20-Poly1305 before sending them to our servers. We use the password you supplied us as the key for this encryption (which also never leaves your machine).

We currently only end-to-end encrypt the text contents of your notes. We do not end-to-end encrypt things like files or images you upload. Although we use security best practices around these things (TLS, encrypt at rest, etc).

If you want to get really nerdy, you can check out the library we built to do all this encryption client-side.

Have you been audited?

Our security and encryption has been independently and successfully audited by https://www.doyensec.com.

At the design level, Doyensec found the system to be well architected. Cryptographic primitives and their usage is sound, with no vulnerabilities or misconfigurations identified.

Here is the summary:

Doyensec_Reflect_SecurityTestingReport_Q22021.pdf216.3KB

Password security

During Reflect's sign-up process we prompt you for a password to use for the end-to-end encryption.

It's very important you do not lose your password otherwise you will permanently lose access to your notes.

We highly recommend generating and storing this password with a tool like 1Password or LastPass.

But... is this encryption really secure? You could just edit the JavaScript anytime.

That's correct - ultimately you have to trust the client, and the client can change (we do update it from time to time).

There's always a user-experience tradeoff with security and this is where we've chosen to draw the line. We understand this may not work for everyone, but we think this compromise is going to help the most amount of people start using end-to-end encryption.

I've lost my password - help!

If you are still logged in on the web or desktop client, then go to Preferences β†’ Select your graph (Probably titled My Brain) β†’ Change password.

If you are logged out of the web or desktop client, then try following these steps:

  • Check Chrome's stored passwords in case you stored it there (Chrome β†’ Preferences β†’ Passwords β†’ Search for 'reflect')
  • Check your Keychain on macOS (we back your password up there when using the desktop client). Search for 'reflect'.
  • Lastly, send an email to support@reflect.app. Reflect makes daily backups to your disk and it’s possible we might be able to recover your notes. We will do what we can to help.