Security & Transparency

End-to-End Encryption

Your posts are encrypted in your browser before they ever leave your device. We use AES-256-GCM, the same encryption standard used by governments and financial institutions worldwide.

const key = await crypto.subtle.generateKey(

{ name: "AES-GCM", length: 256 }

);

How It Works

  1. You write your post - Your content stays in your browser
  2. A unique key is generated - Using the Web Crypto API, a 256-bit AES key is created
  3. Your content is encrypted - The post is encrypted with AES-GCM before transmission
  4. The key is stored separately - The encryption key is server-encrypted and stored in an isolated table
  5. Only you can decrypt - Until your post drops, only you can request the decryption key

What We Can See

In the interest of transparency, here's exactly what data we have access to:

  • Your email address (for authentication)
  • Your handle (public identifier)
  • When you created your post and last checked in
  • The type of content (text, image, voice)
  • The OG hint you optionally provide for social shares

What We Cannot See

  • The actual content of your hidden posts
  • Your uploaded images or voice recordings (until public)
  • Your password (only a hash is stored)

Permanent & Immutable

Posts on dropifgone cannot be deleted or edited. This is enforced at the database level with PostgreSQL triggers that reject DELETE and UPDATE operations on content fields.

-- Database trigger prevents deletion

RAISE EXCEPTION

'Posts cannot be deleted. This is by design.';

This ensures that once a post drops, it remains a permanent record. Think carefully before you post.

Trust Model

While we've designed the system to minimize trust, you should understand:

  • We hold the encrypted keys. While encrypted, we technically have access to the master encryption secret.
  • Public posts are readable. Once a post drops, we can decrypt and read it like anyone else.
  • We could be compelled. A valid court order could require us to provide access to data.

Questions?

If you have security concerns or want to report a vulnerability, please contact us at security@dropifgone.com