We encrypt all your notes on the client with a cypher called XChaCha20-Poly1305 before sending them to our servers. We use the password you supplied us as the key for this encryption (which never leaves your machine). The data stored on our servers is an encrypted blob which we can’t read.

Images and files you add to your notes are also end-to-end encrypted.

For Whisper audio recordings, we process the audio with OpenAPI’s API (which involves sending the raw audio to them). As soon as the recording is processed we sync the transcription to your notes and delete the audio file our end. Similarly text selected and processed with our AI feature is also sent to OpenAPI’s servers. OpenAPI’s terms of service state they delete data after 30 days.

If you want to get really nerdy, you can check out the library we built to do all this encryption client-side.

Have you been audited?

Our security and encryption has been independently and successfully audited by https://www.doyensec.com.

At the design level, Doyensec found the system to be well architected. Cryptographic primitives and their usage is sound, with no vulnerabilities or misconfigurations identified.

Here is the summary:

Doyensec_Reflect_SecurityTestingReport_Q22021.pdf

Password security

During Reflect's sign-up process we prompt you for a password to use for the end-to-end encryption.

It's very important you do not lose your password otherwise you will permanently lose access to your notes.

We highly recommend generating and storing this password with a tool like 1Password.

But... is this encryption really secure? You could just edit the JavaScript anytime.

That's correct - ultimately you have to trust the client, and the client can change (we do update it from time to time).

There's always a user-experience tradeoff with security and this is where we've chosen to draw the line. We understand this may not work for everyone, but we think this compromise is going to help the most amount of people start using end-to-end encryption.

Pulling data from Clearbit

You may have noticed that Reflect can pull information around companies and contacts (such as a person’s LinkedIn profile or a company domain preview).

Essentially what’s happening is that Reflect scans notes with a #company or #person tag. If we can find a relevant email or company domain name within that note, then we ping clearbit.com for enrichment information.

We don't send any identifying information to Clearbit as to who's making the request. Clearbit also makes their own guarantees around data privacy.

Help - I've lost my password!

If you are still logged in on the web, iPad, or desktop app, then go to Preferences → Select your graph in the sidebar (Probably titled My Brain) → Click Change password.

If you are still logged into the iOS app, then tap on your graph (top left round button), then tap Generate recovery kit, and use that recovery kit to reset your password.

If you are logged out of all the clients, then try following these steps:

Check Chrome's stored passwords in case you stored it there (Chrome → Preferences → Passwords → Search for 'reflect')
Check your Keychain on macOS (we back your password up there when using the desktop client). Search for reflect
Check for your Recovery Kit. We generate this during the signup process and download it to whichever device you first used to sign up. Typically this is a file called reflect-recovery-kit-xxxxx in your Downloads folder.
Lastly, if all else fails, contact us. Reflect makes daily backups to your disk and it’s possible we might be able to recover your notes. We will do what we can to help.

On this page