Simply Once home

Security

Your data is yours. We built Simply Once so we can’t read it.

Everything you keep in Simply Once is encrypted on your own device before it ever reaches us. We only ever store scrambled data, and the key to unlock it never leaves your device. So no one at Simply Once — and no one who breached our servers — can read what’s inside your vault. Only you can.

What “zero-knowledge” actually means

When you save something in Simply Once, it’s scrambled — encrypted — on your phone or computer first. The scrambled version is the only thing that travels to us, and the only thing we store. We never see the readable version.

The key that unscrambles it is created from your master password and stays on your device. We never receive your master password, and we never store your key. So even as your vault syncs across your devices, we’re only ever moving and holding locked boxes we have no way to open.

That’s what zero-knowledge means: we have zero knowledge of what’s inside your vault.

The encryption, specifically

For anyone who wants the details, here’s exactly how your data is protected.

  • Your encryption key is derived from your master password using Argon2id — a modern, memory-hard key-derivation function — configured with 64 MiB of memory, 3 iterations, and 4 lanes of parallelism. Argon2id is the current OWASP-recommended choice; its memory-hardness is what makes large-scale password-guessing attacks impractical.

  • Your vault contents are encrypted with AES-256 — specifically AES-256-CBC with an HMAC-SHA256 authentication tag (encrypt-then-MAC) — the same encryption standard trusted by governments and financial institutions.

  • When you share a vault or sync across devices, keys are wrapped with RSA-2048 (OAEP, SHA-256), so our servers only ever handle keys that are themselves encrypted.

  • Every encryption key and salt is generated using your device’s cryptographically secure random number generator.

  • Your master password is never transmitted to us and never stored — anywhere. The keys derived from it exist only in your device’s memory while your vault is unlocked, and are erased the moment you lock it or sign out.

What this means for you

Your data is protected by more than one layer:

Encrypted before it leaves your device. This is the core: we only ever receive and store data you’ve already locked.

Encrypted in transit. Everything moving between your device and our servers travels over an encrypted HTTPS/TLS connection — a second layer on top of the encryption already applied to your data.

Encrypted at rest. The servers that store your already-scrambled data keep it on disks that are themselves encrypted at rest — defense in depth, even though the data is useless without your key.

In plain terms:

  • If our servers were ever breached, your vault stays safe. An attacker would find only encrypted data, with no key to unlock it.
  • We can’t hand over your data in readable form — to anyone — because we don’t have it. We can only ever produce the same scrambled data we store.
  • Your master password is the one thing we can’t recover. Because it never reaches us, we can’t reset it or unlock your vault for you. That’s the trade-off that makes true zero-knowledge possible — and it’s why setting up trusted emergency access matters, so the right people can reach what they need if something happens to you.

Common questions

Can anyone at Simply Once see my data?

No. Your data is encrypted on your device with a key we never receive. We only ever hold the scrambled version, and we have no way to unlock it — not our staff, not our servers.

What happens if Simply Once is breached?

An attacker would find only encrypted data they can’t read, because the keys to unlock it never leave your device and are never stored on our servers. As an added layer, the disks that data sits on are encrypted at rest too.

What if I forget my master password?

Because your master password never reaches us, we genuinely can’t recover or reset it for you — that’s what makes your vault truly private. This is why we encourage setting up recovery options and trusted emergency access in advance, so you and the people you trust aren’t locked out. How trusted emergency access works

Is it safe to store passwords and documents online?

With zero-knowledge encryption, your information is safer in Simply Once than scattered across email, texts, and unencrypted files — because everything is encrypted before it leaves your device, and only you hold the key.

Do you use or sell my data?

We couldn’t, even if we wanted to — we can’t read it. Simply Once is paid for by subscriptions, not by your data. See our plans

Security you don’t have to think about

Your vault, encrypted before it ever leaves your device. Be among the first to use Simply Once.