Security & Privacy

Privacy isn't just a feature of NullPad; it's the foundation of the entire application.

Data Sovereignty

• Storage Engine: Notes are stored in IndexedDB, a robust local database. We maintain a non-persistent localStorage fallback for rare scenarios where IndexedDB may be unavailable (e.g., restrictive private browsing).
• At-Rest Encryption: You can enable AES-GCM encryption for your local database. When active, your notes are encrypted before being saved to the browser, ensuring that even if someone extracts your browser database file, the contents remain indecipherable without your session password.
• Browser Isolation: Your notes are isolated from other websites by the browser's built-in Same-Origin Policy.

No Behavioral Tracking

We believe your notes are private.

• Zero Tracking: We do not use behavioral trackers, session recorders, or marketing cookies.
• Anonymized Technical Logs: Like most web services, our infrastructure (Cloudflare/Firebase) processes technical logs (IP, request metadata) for security and DDoS protection. These are never used for user profiling. Refer to Cloudflare's and Firebase's privacy policies for details on their data handling.

Client-Side Encryption

Our Cloud Sync uses industry-standard AES-256-GCM encryption.

• Zero-Knowledge: Notes are indecipherable to us and our service providers.
• No Password Storage: Your password is never transmitted to or stored on our servers.
• Custom Salt Support: For advanced users, custom salts add an extra layer of entropy and control over the encryption process. Learn how to manage them in Sync & Storage.

Verifiable Transparency (Auditability)

NullPad's Encryption, Cloud Sync, and Storage Management features are kept open for manual auditing via your browser's developer tools (F12).

• Data Sovereignty: The logic for local encryption (AES-GCM), key derivation (PBKDF2), and server handshakes is exempt from obfuscation. This ensures you can verify that your Master Password is never transmitted and that all data leaving your browser is encrypted.

Authentication

We use Firebase Authentication to support Google and GitHub sign-ins.

• This allows for secure identity management without us ever handling your actual credentials.
• Your session is managed locally — we never handle your Google or GitHub credentials directly.
• Use of these providers is subject to their respective privacy policies.

Infrastructure & Reliability

Our backend consists of serverless applications utilizing Edge Computing architecture, global databases, and caching to ensure high availability, security, and low latency.

• Enterprise Edge Protection: We leverage Cloudflare's Web Application Firewall (WAF), DNSsec, and advanced DDoS mitigation to protect the platform's integrity.
• Identity Management: We use Firebase Authentication for secure sign-ins, ensuring that your credentials never touch our proprietary infrastructure.

Security Auditing

For users on the Advanced Tier, NullPad provides an Audit Log feature.

• Transparent Access: View your own account's critical actions (Sign-in, Push, Pull).
• Privacy-First Logging: To protect your privacy, we log only the Operating System and type of action.

Account Deletion & Data Retention

We respect your right to be forgotten. NullPad implements a Soft Delete policy for your safety:

• Deletion Confirmation: Deleting your account requires a deliberate confirmation by typing your nickname followed by _delete.
• Grace Period: After a deletion request, your account is immediately suspended and inaccessible. You have a 30-day grace period to contact support if you wish to reverse the action.

Operational Responsibility

...