Your messages can only be read by you and your recipients.
Not even by us.
At EchoPass, we cannot read your messages. This is not a marketing promise - it is a technical constraint. Your messages are encrypted with a key derived from your password before being stored. We never store your password or your decryption key.
In the event of a legal request or a breach of our infrastructure, the data stored on our servers is useless without your password.
In addition to your password, EchoPass offers three two-factor authentication (2FA) methods. If your password is stolen, your account stays protected. Codes are hashed with Argon2id and expire automatically.
A 6-digit code sent to your email address, hashed with Argon2id before storage. Available on all plans.
A 6-digit code sent to your verified phone number, hashed with Argon2id. Available on Premium plans.
Standard TOTP (RFC 6238), compatible with Google Authenticator, Authy and any TOTP manager. The most secure method.
If multiple methods are active, TOTP takes priority (TOTP > email > SMS). Code resending is limited to one attempt per minute.
Authenticated encryption (AEAD). The algorithm chosen by Google for HTTPS on mobile, used in WireGuard and Signal. Extended 192-bit nonce - safe even for many encryptions with the same key. Implemented via libsodium (PHP 8.3).
Learn more about XChaCha20-Poly1305 →Key derivation and authentication code hashing. Winner of the Password Hashing Competition (2015). Resistant to GPU and ASIC attacks thanks to its high memory consumption. A unique random salt is generated for each user.
Learn more about Argon2id →All communications between your browser and our servers are encrypted via TLS 1.3 with automatically renewed Let's Encrypt certificates. Transport is secured as an additional layer on top of the data encryption.
Learn more about TLS 1.3 (HTTPS) →Attached files are encrypted chunk by chunk (8,192-byte blocks) before being stored on the server. Each file has its own random key, itself encrypted with your master key. Similarly, each message has its own independent encryption key.
Security doesn't stop at transmission. The recipient must prove their identity before accessing the content, through a robust multi-step verification protocol.
Each triggered message generates a 64-character random hexadecimal token. This link is unique, unguessable and strictly personal.
On first visit, an 8-digit code is sent to the recipient's email address and hashed with bcrypt. The code expires in 15 minutes. Resending is limited to one attempt per minute.
If a phone number is associated with the recipient, double verification is required: independent email and SMS codes. Both must be validated to access the message.
Once the recipient decrypts the message, all verification codes are permanently deleted from the database. The link remains valid for 365 days after triggering but codes cannot be reused.
Choosing Switzerland as a hosting location is deliberate. It offers a unique legal framework, distinct from both US and EU law, with some of the world's strictest data protection standards.
The Cloud Act (2018) allows US authorities to demand access to data held by US companies, even if the servers are physically in Europe. AWS, Google Cloud, Azure, Cloudflare - even with EU regions - are subject to it as long as the parent company is American. EchoPass uses an independent Swiss hosting provider.
Learn more about data privacy in Switzerland →We don't keep what we no longer need. A daily automated cleanup purges temporary data according to strict timeframes. Your right to be forgotten is technically guaranteed, not just promised.
Data lifecycle - automated cleanup
The free plan is enough to get started. Upgrade to Premium if you have multiple messages to send, multiple recipients, or want to attach files.
Registration takes 2 minutes. Your first message is free, encrypted, and ready to be delivered when you need it.
If you discover a security flaw, please report it responsibly. We treat all reports seriously and in strict confidence.
Contact security@echopass.app