Security at PAAVS

Built with security as the foundation, not an afterthought.

Zero-Knowledge Encryption

PAAVS uses a zero-knowledge architecture. Your emails are encrypted on your device using AES-256-GCM before transmission. The encryption keys are derived from your password and never leave your device.

🔐 We cannot read your emails – ever.
Zero-Knowledge Encryption Diagram Figure 1: Client-side encryption flow

Encryption Standards

  • In Transit: TLS 1.3 for all connections
  • At Rest: AES-256-GCM encryption
  • Key Derivation: PBKDF2 with 100,000 iterations
  • Password Storage: bcrypt with cost factor 12

Email Security

  • SPF: Sender Policy Framework to prevent spoofing
  • DKIM: DomainKeys Identified Mail for message authentication
  • DMARC: Domain-based Message Authentication for policy enforcement
  • DANE: DNS-based Authentication of Named Entities

Infrastructure Security

Our infrastructure is designed for security:

  • Hosted on Fly.io with encrypted storage
  • DDoS protection via Cloudflare
  • Regular security audits and penetration testing
  • Automated vulnerability scanning
  • Strict access controls and audit logging
Secure Infrastructure Visualization

Responsible Disclosure

We welcome security researchers to report vulnerabilities responsibly. If you discover a security issue, please email [email protected].

We commit to:

  • Acknowledging your report within 24 hours
  • Providing regular updates on our investigation
  • Crediting researchers who follow responsible disclosure
  • Not pursuing legal action against good-faith researchers

Compliance

PAAVS is designed with privacy regulations in mind, including GDPR and CCPA principles. We minimize data collection and provide full data export and deletion capabilities.