Built to be auditable. Open source, end‑to‑end encrypted.
Aplexica's security model is documented and the source is public. Read what we do, what we don't, and how to report a vulnerability.
- Cloud
- XChaCha20-Poly1305
- Transport
- X25519 · Ed25519
- KDF
- Argon2id
Four security pillars.
-
01
Open source daemon
What runs on your machine is what is in the repo. Build it yourself if you prefer.
-
02
Zero-knowledge cloud
XChaCha20-Poly1305 over a per-namespace key. Keys never leave your devices; Aplexica cannot read your content.
-
03
Customer-managed keys
Enterprise can supply their own KMS-rooted keys. Aplexica becomes a transport that has no decryption capability.
-
04
Audit by default
Every artifact change is signed and chained. Tamper-evident logs are exportable to your SIEM.
Your machine is the trust boundary.
The Open Source daemon makes zero network calls in its default configuration. When you opt into Cloud, sync uses XChaCha20-Poly1305 for content and X25519 + Ed25519 for transport. Keys are generated and stored on your devices. Aplexica's servers see only ciphertext.
Report a vulnerability.
Found a security issue? We want to hear about it. Email the address below; for sensitive details, please encrypt with the Aplexica security PGP key. We acknowledge reports within 72 hours.
security@aplexica.com- Contact
- security@aplexica.com
- PGP fingerprint
- TBD — published with the security runbook
- Acknowledgement
- Within 72 hours of report receipt.
- Disclosure policy
- Coordinated. Status within 7 days; decision within 90.
- Machine-readable
- /.well-known/security.txt
Read the full threat model.
The complete security architecture, threat model, and cryptographic primitives are documented in the docs portal.