Note content policy

Our company policy is, and shall forever remain, that we will not attempt to decrypt user note content.

This policy is on top of the technical safeguards we take to keep secure note data. Those safeguards include Vault Notes, which make it possible for notes to be locally encrypted without Amplenote servers possessing the decryption key.

linkThe role of "policy" within an overarching security strategy

We recognize that policy unto itself is insufficient to confirm security in an absolute sense. Still, as users, we prefer to use companies that have strong, security-centric policies over those that do not. Especially since "company policy" can be cited/analyzed in legal proceedings, companies like ours have very strong incentive not to make policies they do not expect to uphold.

Should you expect more than mere policy to secure your note data? Of course! That's why policy is only one vector among many employed to ensure your note data remains secure on Amplenote.

The reality is that even open source note apps (where you can ostensibly read/audit the code yourself) require you to "just trust them," to the extent their app is distributed as a downloaded .exe or .dmg from their website/servers. Even for open source note apps that hype up their security as their primary feature, if they distribute binaries:

How do you know their binary code is the same code they have published on GitHub? Trust.

How do you know their government hasn't ordered them to include a backdoor specific to your IP, delivered when your app auto-updates? Trust.

How do you know they won't attempt to decrypt notes if they haven't published an explicit policy about it? Trust.

In the end, there is virtually always some degree of trust you place in a software provider to keep your data safe. We strive to be as open, earnest, and transparent as possible to make clear the ways you are trusting us. Armed with the full picture of our technical implementation and this Note Content Policy, users have the information needed to make their own judgment about which teams treat security with the utmost respect it deserves.