Zero-knowledge, by construction.
Your leads, your keys, your data. We literally can\'t read it. Here\'s the architecture, the audit trail, and every ADR we\'ve signed so you don\'t have to take our word for it.
Derived client-side from a passphrase via scrypt (N=32768, r=8, p=1). SaudaFlow never sees the passphrase or the unwrapped TMK.
Every lead, contact, note, deal, document blob gets its own AES-256-GCM key wrapped by the TMK. AAD binds ciphertext to tenant + record_type + record_id.
HMAC-SHA256 blind indexes for phone (E.164) and email (lowercased). Free-text search runs client-side on decrypted local data.
Hostinger Mumbai VPS for compute. Backblaze B2 Mumbai for cold storage. Mumbai region pinned by contract.
Append-only, Ed25519-signed event log for every access. Admissible in a RERA hearing. Tenant-readable, SaudaFlow-readable for metadata only.
Data Principal Rights workflow built in: access, correction, erasure, portability. Consent ledgered. Breach notification automated.
What we see vs. what we don\'t.
| Field | We see | We don\'t |
|---|---|---|
| Lead name | — | cipher |
| Lead phone | blind-indexed hash | plaintext |
| Deal value | — | cipher |
| Call transcript | — | cipher |
| Payroll salary | — | cipher |
| Sale deed PDF | — | cipher |
| Tenant ID | plaintext | — |
| Seat count, plan, billing | plaintext | — |
| Request counts, latency | plaintext | — |
Architecture decisions on the record.
Every cryptographic decision is committed to an ADR. We don\'t change the contract quietly.
Read the full whitepaper, including threat model and key rotation policy.