Why workspace tools need the keys — and what changes when you say no

Every workspace tool you use today — Slack, Notion, Google Workspace, Microsoft 365, Dropbox — holds the keys to your data. This isn't laziness or oversight. It's because most of the features people expect from a workspace tool require the vendor to read what's inside.

If you've ever wondered why a tool with strong encryption claims can still serve you targeted ads or surface a workspace-wide AI search, the answer is that the encryption is in transit and at rest — but the vendor decrypted somewhere in between to compute the result. The keys exist. The vendor has them.

When we say Koaich made the opposite trade-off, we don't say it to brag. We say it to be honest about what we gave up. This page is the inventory.

Server-side search. Notion's full-text search across every page in your workspace, Slack's search across years of messages, Gmail's search across mailboxes — every one of those works because the vendor's servers can read the content and build an index. Without server-side decryption, search has to happen on your device, against data your device already has. Workable for current usage; harder for fast lookups across years of history.

AI grounding and summarization. When Notion AI summarizes a page, when Slack AI catches you up on a channel, when Gemini scans your calendar — they need to read the content to operate on it. Some implementations call out to a third-party model (sending your content to OpenAI or similar); some run model inference on the vendor's own infrastructure. Either way, plaintext access is on the path.

Customer support that can see what you see. When you email Slack support and say 'this message in this channel is broken,' a support engineer can pull up the channel and look. Convenient for the user; a structural read-access for the vendor.

Audit logs and admin oversight. Enterprise customers ask for 'a record of what employees said in case of an investigation.' To answer, the workspace tool has to read content. Compliance frameworks (HIPAA, SOX) sometimes require it.

Password recovery. The classic 'forgot password' flow only works because the vendor can re-derive your access to your data after you reset. That means a copy of your data lives somewhere they can decrypt.

Search, in Koaich, runs on your device. Your device has every message and document you've been given access to, so it can build an index locally and answer queries instantly. The cost is that 'search across every document ever shared with me, including ones I haven't synced yet' isn't free — your device has to be told the data exists. The benefit is that search queries themselves never leave your device.

AI runs server-blind. AI features that touch user content compose the minimum context client-side, send only what's needed to a model proxy that's configured not to retain, and decrypt the response on your device. Some features that depend on indexing all your data centrally (e.g., 'summarize my whole workspace') become 'summarize this chat thread' — narrower scope, but the privacy property is preserved.

Support can't read your channels. When you report a bug, our team gets metadata (timestamps, sizes, error codes) and asks you to share specific content if needed. Higher friction; preserves the property that no one inside the company can see anything no one outside can.

Audit logs, if a customer needs them, have to happen at the endpoint — before encryption — on a managed device. The vendor side can't generate them. This is a real cost for some enterprise compliance postures and the honest answer for those customers is that we're not currently the right tool.

Recovery uses Shamir secret sharing across the user's own devices on mobile, and WebAuthn passkeys on the web. Lose all devices without backup codes? Your data is gone — by design. See the recovery trade-off for the long version.

Workspace tools that hold the keys deliver features that workspace tools without the keys can't deliver. That's the trade-off. The question is which side is right for the kind of work you do.

For a marketing team running a community-facing wiki: the workspace tool holding the keys is fine. The content is public-facing anyway; the marginal privacy loss is small and the feature set is meaningful.

For a lawyer's matter files, a therapist's session notes, a startup's pre-announcement decks, a journalist's source contacts — the trade-off flips. The features matter less than the property that a compromised vendor doesn't compromise the content.

We chose to optimize for that second case. We were honest about what it costs.