Does Craft Support End-to-End Encryption?

At Craft, we take security and privacy seriously. While we currently do not offer end-to-end encryption (E2EE), your data is still protected using strong encryption protocols throughout its lifecycle.

What Is End-to-End Encryption?

End-to-end encryption (E2EE) means that only the sender and the recipient can access the data—not even the service provider can decrypt it. In this model, your content is encrypted on your device and only decrypted on the recipient’s device, ensuring maximum privacy.

Craft does not use E2EE, because the app relies on cloud-based collaboration, real-time syncing, and multi-device access—features that require server-side data handling.

How Is My Data Protected in Craft?

While Craft does not currently offer end-to-end encryption, your data is protected using robust, industry-standard security measures at every stage.

Here’s how your content stays secure:

• Encryption in Transit
  All data sent between your device and Craft’s servers is protected using TLS (Transport Layer Security), preventing interception or tampering during transmission.
• Encryption at Rest
  • Document content and personal data are stored using AWS RDS default encryption.
  • Uploaded files and binary content (such as images or attachments) are protected using SSE-S3 encryption on Amazon S3.
• Secure Cloud Hosting (AWS)
  Craft is hosted on Amazon Web Services (AWS), a secure and trusted cloud platform used by leading global companies for its scalability and reliability.
• SOC 2 Type I & II Compliance
  Craft has undergone independent audits and is certified for SOC 2 Type I & II, confirming that we maintain high standards in system security, availability, and confidentiality.
• Strict Internal Access Controls
  Access to data is limited to authorized Craft personnel and only when necessary—for example, to provide support. All access is logged and carefully managed.
• Automated Backups
  Regular backups are performed to ensure your content is safe and recoverable in the unlikely event of data loss.
• Secure Login
  Craft uses email-based login with one-time verification codes instead of passwords, which helps reduce exposure to phishing and common security breaches.

For further information on our approach to protecting your data, we encourage you to review:

• Our full Security Overview
• Our Note on Data Policy, which explains our encryption approach and how your data is handled at each layer

Questions 

If you have any questions about data privacy or Craft's security model, feel free to reach out to our support team. We’re here to help.