Security at Locki

Security is at the heart of Locki. We built our platform with one principle: your plaintext data should never leave your browser — ever. This page outlines our security architecture and what it means for your organization.

1. Local Encryption

All encryption and decryption happen locally in your browser. Locki never transmits, stores, or accesses your plaintext. Your encryption keys remain entirely under your control — the extension uses them only in memory, never sending them in plaintext to any server.

2. Zero Knowledge Architecture

We designed Locki with a strict zero-knowledge model. Even for org keys stored on our servers — they are stored AES-GCM encrypted with a key derived from your organization's master secret. We store encrypted blobs, not usable keys. Even if our database were compromised, your keys would remain protected.

3. Encryption Standards

Locki uses AES-256-GCM — the same algorithm used by financial institutions, governments, and cloud providers for protecting sensitive data. Every encrypted payload includes a unique 12-byte IV to prevent replay attacks. This is implemented using the browser's native Web Crypto API, not third-party libraries.

4. No Plaintext Data Collection

Locki does not collect the content of what you encrypt. Audit logs capture metadata only — actor, action, key ID, timestamp, and web app URL — never the plaintext or ciphertext of your messages. This design ensures GDPR compliance by default.

5. Open Transparency

We believe privacy tools must be verifiable. Locki's core cryptographic functions are designed to be open for independent review and audit. The encryption marker format, IV prepension, and key storage format are documented and auditable by your security team.

6. Responsible Disclosure

We welcome responsible security research. If you discover a vulnerability in Locki, please contact us immediately at contact@lockisecurity.com. We take every report seriously and respond promptly.

Last updated: April 15, 2026