Security and encryption
The contents of your notes are end-to-end encrypted. This means that nobody else can see your notes.
How does encryption work?
We encrypt all your notes on the client with a cypher called XChaCha20-Poly1305 before sending them to our servers. We use the password you supplied us as the key for this encryption (which never leaves your machine). The data stored on our servers is an encrypted blob which we can’t read.
We currently only end-to-end encrypt the text contents of your notes. We do not end-to-end encrypt files or images you upload (although this is on roadmap). But we do use security best practices around these things (TLS, encrypt at rest, etc).
For Whisper audio recordings, we process the audio with OpenAPI’s API (which involves sending the raw audio to them). As soon as the recording is processed we sync the transcription to your notes and delete the audio file our end. Similarly text selected and processed with our AI feature is also sent to OpenAPI’s servers. OpenAPI’s terms of service state they delete data after 30 days.
If you want to get really nerdy, you can check out the library we built to do all this encryption client-side.
Have you been audited?
Our security and encryption has been independently and successfully audited by https://www.doyensec.com.
At the design level, Doyensec found the system to be well architected. Cryptographic primitives and their usage is sound, with no vulnerabilities or misconfigurations identified.
Here is the summary:
During Reflect's sign-up process we prompt you for a password to use for the end-to-end encryption.
It's very important you do not lose your password otherwise you will permanently lose access to your notes.
We highly recommend generating and storing this password with a tool like 1Password.
That's correct - ultimately you have to trust the client, and the client can change (we do update it from time to time).
There's always a user-experience tradeoff with security and this is where we've chosen to draw the line. We understand this may not work for everyone, but we think this compromise is going to help the most amount of people start using end-to-end encryption.
I've lost my password - help!
If you are still logged in on the web or desktop client, then go to Preferences → Select your graph (Probably titled My Brain) → Change password.
If you are logged out of the web or desktop client, then try following these steps:
- Check Chrome's stored passwords in case you stored it there (Chrome → Preferences → Passwords → Search for 'reflect')
- Check your Keychain on macOS (we back your password up there when using the desktop client). Search for 'reflect'.
- Lastly, send an email to firstname.lastname@example.org. Reflect makes daily backups to your disk and it’s possible we might be able to recover your notes. We will do what we can to help.