AES-256 end-to-end
Same encryption standard used for classified government data and online banking. Tasks are encrypted on your device before any data leaves it.
AES-256 · zero-knowledge
An Encrypted Task Manager Where We Physically Cannot Read Your Tasks
Most "encrypted" todo apps use server-side encryption: the company holds the keys and can decrypt your data when convenient. Zero-Friction Tasks uses true end-to-end encryption. The encryption key never leaves your devices.
The 60-Second Explanation
- You generate a sync code on first launch. It looks like
AMBER-DELTA-7734. It never goes to the server. - A key is derived from that sync code on your device. The key is used to AES-256 encrypt every task before it leaves your device.
- The encrypted blob goes to the server. The server stores it. The server cannot read it — it does not have the key.
- Your other devices use the same sync code to derive the same key and decrypt the blob locally. The plaintext exists only on devices you control.
- If subpoenaed, we can produce encrypted ciphertext. We cannot produce readable task content because we do not have the key.
Six Guarantees, Plainly Stated
We physically cannot read your tasks
Zero-knowledge architecture: the encryption key is derived from your sync code, which never leaves your devices. The server only sees ciphertext.
You are the only key holder
No key escrow. No "we can reset your password" — because there is no password. If you lose the sync code AND every device, even we cannot recover the data.
Encrypted at rest, encrypted in transit
Both directions of the wire are encrypted. The Supabase row holding your task is encrypted ciphertext, not a TLS-protected plaintext blob.
Every field, not just the task text
Task text, list names, pin status, custom organization data — everything is encrypted. Only routing metadata (e.g. which sync code a blob belongs to) is plaintext.
Audited code path, open API surface
The encryption layer is a documented surface in the open REST API at /api/v1/docs. You can verify the model by reading the spec — not just trust a marketing claim.
How This Compares
| App | Encryption model | Can the operator read your tasks? |
|---|---|---|
| Zero-Friction Tasks | AES-256 end-to-end, zero-knowledge | No — physically cannot |
| Todoist | Server-side encryption (in transit + at rest) | Yes — operator holds keys |
| Microsoft To Do | Server-side encryption | Yes — operator holds keys |
| Notion (tasks DB) | Server-side encryption | Yes — operator holds keys |
| Apple Reminders | iCloud encryption (E2E with Advanced Data Protection) | Optional E2E (Advanced Data Protection) |
| Lunatask | End-to-end encryption | No |
Apple Reminders is end-to-end only with Advanced Data Protection enabled and works only across Apple devices. Lunatask is paid and macOS/iOS-focused. Zero-Friction Tasks is free, cross-platform, and end-to-end on every platform by default.
Common Questions
What happens if I lose my sync code?
The sync code is the encryption key. If you lose it and have no remaining device with the app installed, the encrypted data on the server cannot be recovered — by design. Save the sync code in a password manager (1Password, Bitwarden) when you generate it.
Can a court order force you to read my tasks?
We can be compelled to hand over data we hold. The data we hold is encrypted ciphertext. We do not hold the key, so we cannot produce readable content. This is the standard guarantee of zero-knowledge architecture.
Why no account?
Accounts create identity. Identity creates attack surface — phishing, password reset hijacks, OAuth token leaks. Removing the account removes the entire account-takeover threat class. The sync code is the only credential, and it stays on devices you control.
Is this slower than non-encrypted apps?
No measurable difference. AES-256 is a hardware-accelerated instruction on every modern CPU and mobile SoC. Encrypting a task takes microseconds.
Can I disable cloud sync entirely?
Yes. Offline Mode disables cloud sync completely. Tasks stay only on the device they were created on. Use this when you want maximum isolation.
Try the Encrypted Task Manager
Open the Web App — generates a sync code, encrypts the first task, takes about 5 seconds. No signup, free forever.
Open Web AppOr read the full data-protection technical details.