Built for Security

Every message you send is encrypted in your browser using AES-256-GCM before it leaves your device. Your encryption key is derived from your passphrase using PBKDF2 with 600,000 iterations — it never leaves your browser.

Our servers store only encrypted blobs. Without your passphrase, the data is unreadable — even to us. There is no master key, no backdoor, and no recovery mechanism. You hold the only key.

CloakAI uses a zero-knowledge architecture. Your conversation history is stored as encrypted ciphertext on our servers in the UK (London). We cannot read, search, or analyse your data because we never have access to your encryption key.

If our servers were compromised, attackers would find only encrypted blobs — useless without your passphrase. There is no server-side data to breach, subpoena, or misuse in plaintext form.

All network communications use HTTPS with modern TLS protocols. Your encrypted data is transmitted over TLS, adding a second layer of encryption in transit on top of the client-side AES-256-GCM encryption.

AI processing happens via our stateless relay in the UK (London) to the AI service in the EU (Sweden). Plaintext is used only for the duration of the AI call and is never logged or stored on our servers.

Web search requests are also routed through the relay, which strips all client metadata (IP address, user-agent, and device identifiers) before forwarding to the search provider. No user identifiers reach the external search service, and search queries are never logged or retained.

We do not log, track, or analyse the content of your conversations or documents. Your prompts and responses are transmitted for processing but are never retained, logged, or stored on our servers.

Optional anonymised usage analytics (which you can disable) contain only aggregate metrics like feature usage counts—never your actual content.

If you discover a security vulnerability in CloakAI, please report it to us at security@usecloakai.com. We take all reports seriously and will respond promptly.