Security and encryption

Security and encryption

The contents of your notes are end-to-end encrypted. This means that nobody else can see your notes.

How does encryption work?

We encrypt all your notes on the client with a cypher called XChaCha20-Poly1305 before sending them to our servers. We use the password you supplied us as the key for this encryption (which never leaves your machine). The data stored on our servers is an encrypted blob which we can’t read.

We currently only end-to-end encrypt the text contents of your notes. We do not end-to-end encrypt files or images you upload (although this is on roadmap). But we do use security best practices around these things (TLS, encrypt at rest, etc).

For Whisper audio recordings, we process the audio with OpenAPI’s API (which involves sending the raw audio to them). As soon as the recording is processed we sync the transcription to your notes and delete the audio file our end. Similarly text selected and processed with our AI feature is also sent to OpenAPI’s servers. OpenAPI’s terms of service state they delete data after 30 days.

If you want to get really nerdy, you can check out the library we built to do all this encryption client-side.

Have you been audited?

Our security and encryption has been independently and successfully audited by https://www.doyensec.com.

At the design level, Doyensec found the system to be well architected. Cryptographic primitives and their usage is sound, with no vulnerabilities or misconfigurations identified.

Here is the summary:


Password security

During Reflect's sign-up process we prompt you for a password to use for the end-to-end encryption.

It's very important you do not lose your password otherwise you will permanently lose access to your notes.

We highly recommend generating and storing this password with a tool like 1Password.

But... is this encryption really secure? You could just edit the JavaScript anytime.

That's correct - ultimately you have to trust the client, and the client can change (we do update it from time to time).

There's always a user-experience tradeoff with security and this is where we've chosen to draw the line. We understand this may not work for everyone, but we think this compromise is going to help the most amount of people start using end-to-end encryption.

Pulling data from Clearbit

You may have noticed that Reflect can pull information around companies and contacts (such as a person’s LinkedIn profile or a company domain preview).

Essentially what’s happening is that Reflect scans notes with a #company or #person tag. If we can find a relevant email or company domain name within that note, then we ping clearbit.com for enrichment information.

We don't send any identifying information to Clearbit as to who's making the request. Clearbit also makes their own guarantees around data privacy.

Help - I've lost my password!

If you are still logged in on the web or desktop client, then go to Preferences → Select your graph in the sidebar (Probably titled My Brain) → Click Change password.

If you are logged out of the web or desktop client, then try following these steps:

  • Check Chrome's stored passwords in case you stored it there (Chrome → Preferences → Passwords → Search for 'reflect')
  • Check your Keychain on macOS (we back your password up there when using the desktop client). Search for reflect
  • Check for your Recovery Kit. We generate this during the signup process and download it to whichever device you first used to sign up. Typically this is a file called reflect-recovery-kit-xxxxx in your Downloads folder.
  • If you can't find your recovery kit or password through the steps above, and you're still logged into the mobile app, go to your mobile app preferences, copy the encryption key in there and email it to our support team. They'll direct you further.
  • Lastly, if all else fails, contact us. Reflect makes daily backups to your disk and it’s possible we might be able to recover your notes. We will do what we can to help.