Privacy

Privacy is fundamental to local-first software, and Evolu takes it seriously. Unlike traditional client-server applications where data lives on someone else's servers, Evolu ensures that data remains under complete control while providing the synchronization and backup benefits needed.

End-to-end encryption by default

Everything in Evolu is encrypted end-to-end. This means:

  • Data is encrypted on the device before it ever leaves
  • The Evolu Relay receives only encrypted binary data
  • Only devices with the correct encryption keys can decrypt the data
  • Even if someone intercepts the data in transit or gains access to the relay, they see only meaningless encrypted bytes

The encryption happens automatically—developers don't need to configure it, and users don't need to think about it. It's built into the core of how Evolu works.

API design prevents data leaks

Evolu's API is designed to make it impossible for developers to accidentally leak sensitive data:

  • No public data options: There is no API to mark data as "public" or "unencrypted"
  • No configuration required: Developers cannot disable encryption or create security vulnerabilities through misconfiguration

This eliminates an entire class of privacy breaches that occur when developers accidentally expose sensitive data through configuration errors or API misuse.

Traffic analysis protection

To prevent traffic analysis attacks, Evolu uses message padding (PADMÉ)—a technique that pads binary messages to obscure their actual size. Combined with end-to-end encryption, this ensures that traffic analysis cannot reveal information about data or usage patterns.

Relay blindness by design

The Evolu Relay is completely blind to users data. What the relay sees:

  • OwnerId: A unique identifier for the data owner (but not who that owner is)
  • Timestamps: When changes occurred (for synchronization ordering)
  • Encrypted binary blobs: The actual data, completely encrypted and padded to obscure size
  • IP addresses: Network addresses of connecting clients (standard for any network service unless using Tor or similar privacy networks)

The relay functions purely as a message buffer for synchronization and backup—it stores and forwards encrypted messages without any ability to decrypt, analyze, or understand them.

Because the relay is blind:

  • Any relay can be replaced with another without losing functionality
  • Self-hosting is possible if desired
  • The relay cannot become a single point of failure for privacy
  • There's no vendor lock-in or dependency on a specific service

Was this page helpful?