The workspace privacy primer.
Plain-English explainers. No jargon, no marketing. Read in order, or pick the one that maps to a question you've already had.
What is end-to-end encryption? A plain-English explainer.
End-to-end encryption (E2E) means a message is sealed on your device and only opens on your recipient's device — no one in the middle can read it. Here's how it actually works.
Read →Key custody, explained: who holds the keys to your workspace?
Every encrypted workspace has keys. The question is who holds them. Here's why key custody is the most important detail in any encryption claim.
Read →Why we don't have password recovery (and that's the feature)
Every workspace tool that lets you 'reset your password and get back in' is keeping a copy of your data somewhere they can decrypt. Here's why we made the opposite trade-off.
Read →Why workspace tools need the keys — and what changes when you say no
Server-side search, AI grounding, customer support, audit logs, password recovery — all of them need the vendor to hold the keys to your data. Here's what each feature looks like when you build the opposite trade-off.
Read →Forward secrecy in plain English
Forward secrecy means a key compromised tomorrow can't read messages from yesterday. It's a property most workspace tools don't have. Here's what it is, why it matters, and how groups achieve it.
Read →What's MLS, and why does it matter for workspace privacy?
MLS (Messaging Layer Security, RFC 9420) is the IETF protocol that gives groups of any size the same encryption properties Signal popularized for one-on-one chat. Here's what it is, what it solves, and why workspace tools should care.
Read →What is Google Workspace Client-Side Encryption (CSE), and what does it actually protect?
Google's CSE is the closest workspace-tool feature to what Koaich does by default. It's also gated behind Enterprise Plus licensing and a customer-run KMS. Here's what it covers, what it doesn't, and how it compares.
Read →What is Microsoft Customer Key, and what does it actually protect?
Customer Key is Microsoft's enterprise feature for letting customers hold the encryption keys to their Microsoft 365 data. Here's what it covers, what's required to use it, and how it compares to a default-E2E approach.
Read →What is Shamir's Secret Sharing, and why does Koaich use it for recovery?
Shamir's Secret Sharing splits a secret into pieces such that any k of n pieces can reconstruct it but fewer cannot. Here's the math in plain English, and why it's the right primitive for vendor-blind account recovery.
Read →What does Slack actually do with your messages?
Slack's privacy posture in concrete terms — who can read your messages, what's used for AI, what gets retained, and what would be produced under a legal demand.
Read →What can a workspace tool actually produce under a subpoena?
A practical breakdown of what Slack, Notion, Google Workspace, Microsoft 365, Dropbox, and Koaich can produce in response to a legal demand — and why architecture determines the answer more than policy does.
Read →Zero-knowledge vs. end-to-end encryption: what's the difference?
Two terms often used interchangeably. They're related but not the same — one describes a service's posture, the other describes a cryptographic property. Here's how they connect.
Read →Can a vendor read 'encrypted' data? It depends on which encryption.
Almost every workspace tool advertises encryption. Most of them can still read your data. Here's the difference between the encryption that protects you from outsiders and the encryption that doesn't protect you from the vendor.
Read →WebAuthn passkeys vs. passwords: a workspace-tool comparison
Why a passkey is structurally a stronger authentication primitive than a password — and what changes when a workspace tool drops passwords entirely.
Read →Is end-to-end encryption legal? Where it is, where it isn't, and what's pending.
End-to-end encryption is legal in the United States, the EU, the UK, Canada, Australia, and most democracies. Several jurisdictions have proposed restrictions; some have passed measures that affect how it's deployed. Here's the current landscape.
Read →What metadata can an encrypted workspace tool still see?
End-to-end encryption protects content. Metadata — who messages whom, when, how much, from where — has its own privacy properties. Honest framing of what stays visible even on E2E platforms.
Read →How to evaluate a vendor's security promises (a buyer's checklist)
Every workspace tool says it takes security seriously. Most of them mean different things by that phrase. Here's a concrete checklist for separating architectural claims from marketing.
Read →