Frequently Asked Questions
Do you store my messages?
When a message is sent, it is deleted from the local iPhone and transmitted to our servers. The data transfer is encrypted (enciphered).
The message is stored by a third party infrastructure provider (Amazon Web Services) under our control. When the message is read, we first delete the message from our servers before sending it. The data transfer is encrypted. The receiver reads the message. It is not stored on their file system but shown on their screen until it is manually deleted or deleted due to timeout (or attempted device tampering).
Do you know who I am talking to?
We have no automatic way to retrieve this information from what we have on our servers. But if we were asked to check a specific mailbox name, we could find the name. Technically, this is called a salted one-way cryptographic hash function.
Is the service affected by the Heartbleed vulnerability?
The 'HeartBleed' security vulnerability, also known as CVE-2014-0160, does not affect the service. It is possible that there are other non-published vulnerabilities (also known as zero day vulnerabilities) could affect our systems, as per the rest of the Internet community. We apply engineering best practice to guard our systems.
Can an appropriate Government entity gain access to the system?
If a government entity gained access to our systems, they could see a message not yet delivered. They would not know who it was for. It could be possible to work out who the messages were for, but this requires further access: the Internet/Cell Phone service provider, the App Store billing and distribution systems, and the back-end IT service provider.
Other services offer military grade security - how about you?
We only use standard cryptographic techniques. This is appropriate and correct for secure message transfer.