Privacy as a property of the data, not a vendor promise.

If you write a document in Notion, the document is encrypted at rest on Notion's servers. If you send a message in Slack, the message is encrypted at rest in Slack's database. Same for Google Docs, Dropbox, Microsoft Teams, and every other workspace tool you use. All of them encrypt your data.

All of them also hold the keys to that encryption.

That sentence is the part the marketing pages skip. Encryption with vendor-held keys protects you from a stranger stealing the database file. It does not protect you from a vendor employee, a vendor breach, a vendor sub-processor, an external party asking the vendor for your data, or a future business decision the vendor makes about what to do with your content. Every one of those scenarios resolves the same way: the keys exist, the vendor has them, and your data turns back into cleartext on someone else's screen.

We didn't notice this for a long time because workspace tools never told us. They said "encrypted in transit and at rest" and we filled in the rest with optimism.

There is a different way. It's the way a safe-deposit box works: the bank holds the box, but only you have the key. The vendor stores ciphertext. You — and only the people you grant access to — can ever turn that ciphertext back into a sentence.

This is called end-to-end encryption with user-held keys. It has a precise definition: the encryption keys are generated on your device, never transmitted to the server, never escrowed in a recovery service, never wrapped in a master key that the vendor controls. The server, no matter who is operating it on a given day, holds bytes that no key in its possession can unscramble.

End-to-end encryption was developed for private messaging. We built it for the rest of your work — and your personal life — documents, files, group rooms, AI drafts, and the inbox-bridged delivery that lets you reach people who don't have Koaich yet. Same threat model. Same trade-offs. Same property: even we can't read your data.

This trust model has costs. The vendor — us — can't help you recover if you lose all your devices and don't save your recovery codes. The vendor can't offer a server-side "search across everything you've ever written" because the server can't read it. The vendor can't feed AI grounding queries from your content, because the AI never sees plaintext either. The vendor can't provide an admin audit log of what employees said, because the audit log would have to contain things the vendor isn't allowed to read.

Each of those is a thing other workspace tools can do. Each of them is a thing we deliberately gave up.

We gave them up because the alternative — keeping the keys around so we could offer these features — would make the "we can't read your data" claim a polite lie. A vendor that can decrypt your data is a vendor that can be compromised, compelled, or quietly repurposed. The strongest possible privacy promise is the one the math enforces, not the one the policy describes.

It's for anyone who has ever paused before pasting client data into ChatGPT. Anyone who's thought twice about putting a draft of a sensitive document on Notion. Anyone who has watched a workspace tool announce a new AI feature and wondered, quietly, exactly which data of theirs is now in the training pile.

It's for the lawyer whose privilege claim has to survive a discovery motion. The therapist whose patient files belong outside the platform's reach. The accountant who shouldn't need a separate compliance posture to know their client's tax data is unreadable by a vendor support engineer. The startup that doesn't want its cap table on a shared cloud drive that a sub-processor might one day stumble through.

It's also for everyone else. There is no "personal grade" cryptographic step-down in Koaich. Either we encrypt your data or we don't — and we do, the same way, for every user, on every surface.

We won't claim we're "unhackable." Every system has a threat model and ours is no exception — we've documented it publicly and we're commissioning an independent audit. What we will claim is that the threat model excludes us: an attacker who fully compromises our infrastructure still walks away with ciphertext.

We won't call our cryptography "bank-grade" or "military-grade." Those are marketing tropes that sophisticated buyers discount on sight. We use specific, named primitives — nacl.box for 1:1 messaging, MLS (RFC 9420) for group rooms, per-document symmetric keys wrapped to each recipient's device, Shamir's Secret Sharing for recovery, WebAuthn passkeys for web auth — and we'll happily walk through them with any security-conscious reviewer.

We won't add a password-recovery backdoor, because the existence of the backdoor would defeat the entire property we're selling. We won't train AI on your content. We won't ship a vendor-side content audit log, even when an enterprise buyer asks for one, because building it would compromise the guarantee for every other customer.

And we won't name competitors in the negative. Slack, Notion, Google Workspace, Microsoft 365 — they are good at what they do. They made a different trade-off than we did. We're not arguing they're bad. We're arguing that the trade-off they made should be a choice, and right now, for sensitive work, it isn't one.

The bet under Koaich is that there is now a critical mass of people — small businesses, regulated professionals, security-minded individuals, families that care about their data, anyone who has thought hard about their threat model — for whom the trade-off "you take recovery seriously, the vendor can't read your data" is the obviously correct one. The same shift has already happened in encrypted messaging, encrypted email, and password management. Workspace tools are next.

That bet might be wrong. The product might end up being right for a smaller audience than we think, or might need a few iterations to land. But the property — privacy as a structural fact of the data, not a vendor pledge — is the kind of thing that compounds. Once you've worked inside a tool that can't read what you write, going back feels like leaving a door unlocked because the locksmith promised they wouldn't come in.

We made the trade-off. The math made the trade-off. The product is the consequence.