The Encryption Claim Everyone Makes
Every SaaS vendor now claims "We encrypt your data."
But encryption is not zero-knowledge.
Zero-knowledge means:
- The vendor cannot see your data, even if they wanted to
- There is no encryption key the vendor possesses
- The vendor architecture is designed so that decryption is cryptographically impossible on their servers
Encryption means:
- Your data is scrambled with a key
- The vendor may or may not have the key
- If they have the key (or get it later), they can decrypt your data
100+ vendors claim "zero-knowledge encryption." But only ~7% actually implement it.
Here's how to tell the difference.
The 5 Questions to Ask
1. Who holds the encryption key?
If the vendor holds the key (or can recover it), it's not zero-knowledge.
Example: "We encrypt your data with a key we derive from your password." This means the vendor can decrypt your data anytime someone logs in. Not zero-knowledge.
Zero-knowledge: "We encrypt your data with a key only you hold. We never see the key."