Your email stays yours
Local-first architecture, zero-knowledge encryption, and explicit AI consent boundaries.
Local-first architecture
TwinMail stores all email content and metadata on your device. We use cloud infrastructure purely as an encrypted transport layer, never as a source of truth. Your device is sovereign.
- SQLite + FTS5 for local search
- Offline-first by design
- Cloud relay receives only ciphertext
Vault encryption
Each logical data boundary (a Person or Account) is backed by an encrypted Vault. Databases are encrypted using XChaCha20-Poly1305 with per-Vault key hierarchies derived via Argon2id and HKDF.
- Ed25519 event signatures
- X25519 envelope encryption
- Epoch-based key rotation with device enrollment
Zero-knowledge sync
Multi-device sync encrypts all data client-side before transmission. The relay server is treated as untrusted storage — clients verify signatures and decrypt locally. We cannot read your emails.
- Relay sees only encrypted blobs
- Clients queue events locally during outages
- No metadata exposure to relay
AI consent boundaries
Local AI runs by default with no data leaving your device. Cloud AI features require explicit, per-action consent via a consent sheet showing the exact payload before transmission. Requests and responses are recorded as encrypted audit events.
- Per-action consent sheet with payload preview
- No AI provider trains on your data
- Encrypted audit log for compliance
Provider connections
We connect to email providers via OAuth where available, or application-specific passwords. Credentials are stored exclusively in your encrypted local Vault and never transmitted to Twindevs servers.
- OAuth-based for Gmail, Outlook, iCloud
- Application passwords for IMAP/SMTP
- Credentials never leave device
Compliance posture
Our zero-knowledge architecture significantly simplifies compliance. We are preparing for GDPR and CCPA readiness with data subject access request workflows, data retention automation, and international transfer protections.
- GDPR and CCPA rights supported
- Standard Contractual Clauses for transfers
- SOC 2 Type I preparation in roadmap
Data residency
What lives where.
Trust assumptions and boundary conditions
- Operator endpoints are part of the trust boundary and must be managed with standard endpoint controls.
- Cloud sync stores ciphertext and metadata required for transport, not decrypted message bodies.
- Cloud AI processing is outside local-only mode and is invoked only after explicit operator consent.
| Data type | Location | Encrypted |
|---|---|---|
| Email content, bodies, attachments | Your device only | Yes (Vault) |
| Search indices | Your device only | Yes (Vault) |
| Provider credentials | Your device only | Yes (Vault) |
| Sync blobs (multi-device) | Cloudflare R2 (US) | Yes (client-side) |
| Account info (email, name) | Twindevs servers | Encrypted at rest |
| Billing info | Stripe | PCI DSS Level 1 |
| AI request payloads | AI provider (opt-in only) | In transit (TLS) |
Request a technical preview
Get early access to evaluate TwinMail for your team.
Read trust documentation