<h1>How Tresor protects your privacy</h1><blockquote>In a nutshell: Tresor is built so that nobody — not Tresor's team, not the cloud provider, not anyone — can read your conversations. This isn't a policy choice; it's how the technology works.</blockquote><h2>The four pillars of Tresor's privacy</h2><h3>1. Encryption in your browser</h3>When you type a message, Tresor encrypts it in your browser before it leaves your device. The same happens with chat titles, project names, instructions, and file uploads. What travels over the internet and what's stored on Tresor's servers is ciphertext — scrambled data that's unreadable without your personal encryption keys.Think of it as putting your letter in a locked envelope before handing it to the postal service. Even though the postal service transports it, they can't read it.<h3>2. Sealed hardware enclaves</h3>Your encrypted message needs to be decrypted somewhere so the AI can read and respond to it. This happens inside a secure enclave — a special, isolated computing environment that's sealed off from everything else.Key properties of an enclave:<ul class="accent-bullets"><li>Nobody can look inside it — not Tresor, not the cloud provider, not even someone with physical access to the server.</li><li>It runs verified code — before your data enters the enclave, Tresor verifies that the code running inside hasn't been tampered with.</li><li>It has its own memory isolation — data in the enclave is protected by hardware-level barriers.</li></ul>Think of it as a sealed room with no windows. The AI works inside this room, reads your message, writes a response, and passes the encrypted response back to you. Nobody outside the room can observe what happened.<h3>3. Zero-access storage</h3>When your conversations are saved, they're stored in their encrypted form — ciphertext. Tresor's database contains only scrambled data. The encryption keys are derived from your password and stored in a way that only your browser can access.This means:<ul class="accent-bullets"><li>Tresor's engineers can't read your chats even if they access the database.</li><li>A data breach would expose only encrypted data that's useless without your keys.</li><li>No plaintext logging — operational logs record hashed IDs and health metrics, never chat content.</li></ul><h3>4. Verifiable privacy</h3>Tresor doesn't just ask you to trust its privacy claims — it provides cryptographic proof. Every message comes with a signed receipt that proves it was processed inside a verified, sealed enclave. You can check this proof at any time.See <a href="./verifying-your-privacy.md" target="_blank" rel="noopener noreferrer" class="cursor-pointer box-border border-b hover:border-b-[2px] transition-all duration-75 " style="text-decoration: none; border-color: var(--portal-accent-color);">Verifying your conversation's privacy</a> for details.<h2>How a message flows through Tresor</h2>Here's the complete journey of a message, step by step:<ol class="steps-list"><li>You type a message in your browser at chat.trytresor.com.</li><li>Your browser encrypts it using your personal encryption keys.</li><li>The encrypted message is sent directly to the secure enclave — Tresor's servers act only as a relay and cannot read the contents.</li><li>Inside the enclave, the message is decrypted and sent to the AI model (also running inside a secure enclave).</li><li>The AI generates a response inside the sealed environment.</li><li>The response is encrypted and streamed back to your browser.</li><li>Your browser decrypts it and shows you the response.</li><li>Both messages are stored in their encrypted form for your conversation history.</li><li>A verification receipt is generated to prove the message was processed privately.</li></ol>At no point in this journey does anyone other than you and the AI inside the enclave see the plaintext content.<h2>How your encryption keys work</h2>When you create your Tresor account, your browser generates encryption keys derived from your password. These keys are:<ul class="accent-bullets"><li>Never sent to Tresor's servers in a form Tresor can use.</li><li>Used by your browser to encrypt and decrypt content locally.</li><li>Unlocked only after successful account authentication (password, plus MFA when enabled).</li></ul>This is why your password and MFA setup are so important — they're the foundation of your privacy protection.<blockquote>⚠️ Note: Tresor does not use recovery codes. To avoid lockouts, register multiple MFA devices in Settings → Security. Tresor does not hold a plaintext backup key for your data.</blockquote><h2>Good to know</h2><ul class="accent-bullets"><li>Tresor's encryption covers chat messages, titles, project names, project instructions, and file contents.</li><li>Metadata like timestamps and message counts are stored, but content is always encrypted.</li><li>Tresor publishes a <a href="https://trytresor.com/papers/tresor-ai_white-paper.pdf" target="_blank" rel="noopener noreferrer" class="cursor-pointer box-border border-b hover:border-b-[2px] transition-all duration-75 " style="text-decoration: none; border-color: var(--portal-accent-color);">white paper</a> with more technical details of its security architecture.</li><li>All of this works automatically — you don't need to configure anything or think about encryption while using Tresor.</li></ul><details class="details-wrapper"><summary class="details-summary">🔍 Technical detail</summary><div class="details-content" data-type="detailsContent">Tresor's zero-access architecture consists of:<ul class="accent-bullets"><li>Client-side encryption: AES-256-GCM for content, with per-chat and per-project symmetric keys wrapped by the user's master key.</li><li>Key derivation: User master keys are derived from the password via the Supabase auth flow and stored encrypted in the user profile.</li><li>Enclave security: Messages are streamed directly from the browser to a Go-based enclave server running inside AMD SEV-SNP or Intel TDX hardware isolation. The enclave signs responses with ES256 (ECDSA) and publishes verification keys via JWKS.</li><li>Enclave Access Tokens (EAT): Short-lived Ed25519-signed tokens issued by the Nuxt server (Nitro) authorize the browser to stream directly to the enclave.</li><li>Provider attestation: Inference providers (Tinfoil, RedPill/Phala) run models inside their own TEEs with independent attestation chains verified by Tresor's enclave.</li></ul>For the full specification, see the <a href="https://trytresor.com/papers/tresor-ai_white-paper.pdf" target="_blank" rel="noopener noreferrer" class="cursor-pointer box-border border-b hover:border-b-[2px] transition-all duration-75 " style="text-decoration: none; border-color: var(--portal-accent-color);">Tresor white paper</a>.</div></details><h2>Related articles</h2><ul class="accent-bullets"><li><a href="https://tresorai.productlane.com/docs/privacy-and-security/what-is-a-secure-enclave" target="_blank" rel="noopener noreferrer" class="cursor-pointer box-border border-b hover:border-b-[2px] transition-all duration-75 " style="text-decoration: none; border-color: var(--portal-accent-color);">What is a secure enclave?</a> — More about the sealed rooms that protect your data.</li><li><a href="https://tresorai.productlane.com/docs/privacy-and-security/verifying-your-privacy" target="_blank" rel="noopener noreferrer" class="cursor-pointer box-border border-b hover:border-b-[2px] transition-all duration-75 " style="text-decoration: none; border-color: var(--portal-accent-color);">Verifying your conversation's privacy</a> — How to check the cryptographic proof.</li><li><a href="https://tresorai.productlane.com/docs/privacy-and-security/what-tresor-can-and-cannot-see" target="_blank" rel="noopener noreferrer" class="cursor-pointer box-border border-b hover:border-b-[2px] transition-all duration-75 " style="text-decoration: none; border-color: var(--portal-accent-color);">What Tresor can and cannot see</a> — A transparent data access breakdown.</li></ul>

Privacy and Security

Tresor uses zero-access architecture: your messages are encrypted in your browser, processed inside sealed hardware enclaves, and stored as ciphertext that nobody — including Tresor — can read.