Promises aren’t proof. Crypto is.
Most tools ask you to trust their privacy policy. Qaxa is zero-knowledge by design: encryption happens on your device, and our servers store ciphertext. Don’t rely on paperwork alone. Rely on cryptography.
- No blind trust in the provider
- Inspectable encryption logic
- Client-side encryption you can verify
Don’t trust us. Inspect the code.
Security should not be a black box. Qaxa’s client-side encryption code is open source, so your team can inspect how keys are generated and how content is encrypted before it leaves the device.
Inspect the client code (soon)
Security questions, answered.
What Qaxa protects — and what it can’t see.
No. Qaxa cannot read the contents of your rooms.
Messages, files, notes, tasks, and comments are encrypted before they leave your device. Qaxa stores encrypted data — ciphertext — not readable content. We do not hold the keys needed to decrypt it.
Yes. Room content is encrypted on the sender’s device and decrypted on the recipient’s device.
That means your messages, files, notes, tasks, and comments are protected before they reach Qaxa’s servers. Our infrastructure stores and syncs encrypted data, but it does not see the readable content inside your rooms.
Encryption happens locally, on your device.
When you write a message, upload a file, create a task, or add a note, the content is encrypted in your browser before it is sent to Qaxa. Other room members decrypt it locally on their own devices using their keys.
Qaxa still needs some account and service data to operate.
For example, we may process email addresses for login, invitations, notifications, billing, account lookup, and abuse prevention. We may also store basic room membership and operational records needed to run the service.
What we cannot see is the readable content inside your rooms: the messages, files, notes, tasks, and comments.
A server breach should not expose readable room content.
Qaxa stores encrypted data, not plaintext messages or files. Without the users’ keys, the room contents remain unreadable. Some service metadata may still exist outside encryption, such as account emails, billing records, and operational logs.
That is the point of the model: reduce the damage if infrastructure is compromised.
Qaxa uses a self-custodial recovery model.
Because we do not hold the keys to your room content, we cannot simply reset access to encrypted data for you. You need your recovery details to restore access on a new device or after losing your password.
This protects your privacy, but it also means recovery details must be stored safely.
Zero-knowledge means Qaxa can provide the service without being able to read the private content inside your rooms.
We can help deliver, store, and sync encrypted data. But the actual room content is encrypted before it reaches us. We see ciphertext, not the readable messages, files, notes, tasks, or comments.
“We needed a place where sensitive files could move without giving the platform a readable copy. Qaxa gave us that without making clients learn a heavy system.””
