PRE-LAUNCH · WAITLIST OPEN

You own your data.

Encrypted on your device. Messages, docs, AI — all of it. The keys live with you; we never see them. The same wording the app shows on first launch, because the property is the product.

nacl.box / 1:1 MLS / groups WebAuthn / web Shamir / recovery

koaich · vault://board

YouTTL 24h

Q3 board memo attached. Per-recipient wrapping.

Naomi (counsel)TTL 24h

Got it. Reading now. [encrypted.file · 18.2 kb]

server.view

env(0x4a7c…d9 → 0x18b3…22) · 14:02:31 · 2,408 bytes

Server sees ciphertext.Only Naomi's device can decrypt this thread.

L3 / PER-OBJECT KEY

aes-256-gcm

/ THE ASYMMETRY

Privacy as a property of the data, not a vendor promise.

ENCRYPTION BOUNDARY

Locked before it leaves your device.

Messages, documents, files, and AI drafts are encrypted on-device under keys your phone or laptop generated. The private key never reaches our server.

KEY CUSTODY

We hold ciphertext. You hold keys.

Our database stores scrambled bytes and operational metadata. There is no master key in a vault in our office. Nothing for an insider, a breach, or an external request to decrypt.

ARCHITECTURE

One trust model. Across everything you do.

End-to-end encryption applied not just to messages but to documents, files, group rooms, AI drafts, and email-bridged recipients — for work threads, family logistics, medical records, financial planning, anything that should stay yours.

FREE TOOL · NO SIGNUP · ~60 SECONDS

What does your workspace
know about you?

Pick the tools you use — for work or personal. We'll show you exactly what each vendor can read, train on, or share with third parties.

Take the test→

/ COMPARE

The trust model, side by side.

Encryption claims sound similar. The trust model is where workspace tools split apart.

	Koaich	Slack	Notion	Google Workspace	Microsoft Teams	Discord	Signal
E2E encrypted messages by default	Yes	No	n/a	No	Only 1:1 calls (opt-in)	No (DAVE for voice only)	Yes
E2E encrypted documents	Yes	n/a	No	CSE on Enterprise Plus only	Customer Key on E5 only	n/a	n/a
E2E encrypted files	Yes	No	No	CSE on Enterprise Plus only	Customer Key on E5 only	No	n/a
Can the vendor read your content?	No	Yes	Yes	Yes (default tiers)	Yes (default tiers)	Yes	No
Send to a non-platform recipient via email (encrypted)	Yes (encrypted digest)	No	Shared link (cleartext)	Yes (cleartext)	No	No	No
Group key rotation on member churn	Yes (MLS)	No	No	No	No	No	Yes
Message TTL / auto-expiration	Yes, every message	Workspace retention policies	No	Retention policies	Retention policies	Premium, channel-level	Yes
Per-vault key isolation	Yes	No (workspace-wide)	No	No	No	No	n/a
Recovery without vendor-held keys	Yes (Shamir + WebAuthn)	No (password reset by vendor)	No	No	No (AD reset)	No	Yes (PIN)

CSE = Google's Customer-Side Encryption (Enterprise Plus only). Customer Key= Microsoft's E5 customer-managed keys.

DETAILED COMPARISONS →

/ QUESTIONS

Worth answering.

Can you read my data?+

No. Your data is encrypted on your device with keys we never see. Our servers hold ciphertext and operational metadata only.

What if I lose my phone?+

Your other Koaich devices each hold a Shamir-split share of the recovery secret. As long as you have at least one other device, you can recover. We deliberately don't hold a vendor-side spare — if we did, an insider could too.

Does it work for people who aren't on Koaich?+

Yes. They get a daily digest email with metadata only. When they click 'Open in Koaich,' they sign up or enter a one-time code, and the body is re-encrypted client-side under their real key.

When does it launch?+

Active build now, on iOS and web. Invites open in waves to waitlist members.

MORE · /SECURITY · /COMPARE · /LEARN

/ JOIN

Get on the waitlist.

Invites are going out in waves. Be early.

You own your data.We built a workspace to keep it that way.