1KQ
Sign in

Security · Crypto-Exchange UX shipped

What we can and cannot read about you.

1KQ asks you the questions that map who you are. The answers are sensitive by design. This page is the contract for how we hold them — every claim below names the live artifact, file, or test that backs it without linking to private source.

The short version

Privacy Mode is on for every account.There is no toggle to remember and no "off" path for the encrypted surfaces: questionnaire answers, Dr. X conversations, persona chats, and self-reported profile use browser-held keys and envelope storage. Legacy plaintext routes are blocked for Privacy Mode users, and enclave writeback now fails closed instead of falling back to host plaintext.

Unlock with a passkey (when your authenticator supports the WebAuthn PRF extension) or a passphrase. Sign-out and idle both wipe the master key from your browser AND tell the enclave to drop its in-memory copy — explicitly, not "eventually". After that the server has nothing decryptable until you unlock again.

We don't run live voice. Audio never leaves your device — your browser does the speech-to-text locally, and the resulting text joins the same encrypted path as typed input.

Our Privacy Mode chat path runs through an AWS Nitro Enclave whose code is measured at boot. In Privacy Mode, your browser verifies the Nitro attestation document against the pinned AWS Nitro root and checks those measurements against the pinned manifest public/security/enclave-manifest.jsonand only then HPKE-seals your master key to the enclave's ephemeral public key. The Anthropic API call originates inside the enclave and traverses our host as opaque TLS bytes via vsock-proxy — the host process has no key for the TLS session. Agent writebacks require a grant and an enclave handler; if the enclave path is unavailable, Privacy Mode skips the writeback rather than storing plaintext on the host. A production health endpoint also checks runner health, attestation, plaintext sentinels, and break-glass controls.

The artifacts that back the claim

The complete data classification — every column in our database, mapped to OPERATOR_READABLE or USER_ONLY.

docs/DATA_CLASSIFICATION.md

A typed projection of the same classification, plus a per-feature page in the app.

/account/data-visibility (live)

The build manifest pinning every byte of client-side crypto code shipped in this build.

/build-manifest.json (live)

The full client-crypto inventory — every file allowed to perform crypto in your browser.

src/lib/crypto/inventory.ts

Master key lifecycle — how your passphrase, recovery mnemonic, and passkey-PRF wrap the master key.

docs/KEY_LIFECYCLE.md

Agent-fleet trust bridge — the contract for letting Enhanced Mode agents read your data.

docs/AGENT_FLEET_ENCLAVE.md

Browser-direct AI proxy contract — what the server is allowed to broker and what it isn't.

docs/BROWSER_DIRECT_AI.md

ZDR (zero-data-retention) contract status with each upstream model provider.

docs/ZDR_CONTRACTS.md

Live voice retirement — why we stopped streaming audio to vendors and what replaces it.

docs/RETIRE_LIVE_VOICE.md

Launch claims map — every public statement on this page traced to a file, test, or migration.

docs/LAUNCH_CLAIMS.md

Third-party audit readiness checklist — the scope statement we hand to a security firm.

docs/AUDIT_READINESS.md

What an attacker gets from a full database dump

In the current Privacy Mode architecture, an attacker who exfiltrates our entire production Postgres database and its backups gets metadata plus encrypted Privacy Mode payloads for supported encrypted surfaces:

  • Account identifiers (email, OAuth provider IDs)
  • MFA configuration (which factors are enrolled)
  • Session bookkeeping
  • The numeric personality vector for each user
  • Engagement counts
  • The audit log
  • Encrypted blobs they cannot decrypt without each user's key

For newly written Privacy Mode records on supported paths, they do not get:

  • Any answer to any question
  • Any Dr. X conversation
  • Any memory fact
  • Any persona conversation
  • Any voice transcript

The honest gaps

We refuse to ship security theatre. These are the parts of the system where the claim is weaker than we want it to be, with the explicit roadmap to close each one.

  • Anthropic still sees the plaintext on egress. Our enclave path keeps the app host blind to the turn, but the model itself is third-party. The bytes leaving the enclave to api.anthropic.com are encrypted in transit (TLS) but Anthropic decrypts them to do the inference. Closing this requires a self-hosted model and is the next horizon item.
  • Third-party public verification is still limited. Browser-side Nitro COSE / root-chain verification is in source today: the browser walks the COSE_Sign1 certificate chain, time-validates each cert, asserts the chain ends at the SHA-256-pinned AWS Nitro Enclaves Root G1, and verifies the leaf ECDSA P-384 signature over the payload before any PCR comparison. What is still limited: the repository and EIF build process are not yet public, independently reproducible artifacts. We can give auditors the source, tests, the live public/security/enclave-manifest.json, and the health evidence; we do not claim a public third-party attestation program until those artifacts are externally reviewed.
  • The third-party audit has not happened yet. We have written the scope statement and the readiness checklist; engagement starts after launch. Until then, the source-level evidence is available to auditors and invited reviewers, while public users can inspect the live build manifest and data-visibility page. The attestation manifest at public/security/enclave-manifest.json is published, but the current build is not yet an independently reproducible public attestation claim.

Reach us

Found a bug, a leaky claim, or a cryptographic concern? Email security@1kq.ai.