Security
Folderless · ActionTech Labs Inc.
Last updated: June 25, 2026
Honest-first disclosure: this page describes what Folderless v1 actually does for your data — and what it deliberately doesn't claim to do. If you're an auditor, security researcher, or just someone who reads the fine print, every claim below maps to verifiable code you can inspect or run yourself.
The two layers
Layer 1 — App & database hardening (always on, no setup needed)
Folderless is local-first. Your documents and the index we build from them stay on your device. The database that powers fast search is locked behind random per-install credentials in macOS Keychain — no default passwords, no internet exposure, no telemetry of your content.
Layer 2 — Encrypted backup files (optional, recommended at setup)
When you back up your Folderless library, the backup file is encrypted with a passcode only you know. Even if your backup ends up in the wrong hands — email, cloud sync, USB stick, lost device — your content stays unreadable without your passcode or your 24-word recovery phrase.
What this matches
The mental model is the same one you already know from macOS FileVault: optional, strongly recommended at setup, encrypts what matters for the disaster scenario, daily use stays friction-free.
| Pattern | Authentication | Backup encryption key |
|---|---|---|
| Mac FileVault | macOS login | Recovery key (separate, optional) |
| Time Machine encrypted backup | macOS login | Backup password (separate) |
| iCloud Keychain | Apple ID | Recovery code (separate, new device) |
| 1Password Emergency Kit | account password | Secret Key + Master Password |
| Folderless | Google OAuth | Backup passcode (separate, optional) |
When you encounter the passcode
| Moment | Passcode required? |
|---|---|
| Daily app use (open, browse, search, view, ingest, organize) | No — daily use is friction-free |
| Initial setup (end of onboarding) | Optional, strongly recommended — can defer to Settings later |
| Creating a backup | Yes — encrypts the backup file |
| Restoring a backup (new device or after wipe) | Yes — unwraps backup encryption |
| Forgot passcode → restoring | Use your 24-word recovery phrase instead |
What we don't claim
Marketing copy often reaches for security terms that mean something specific in cryptography or that auditors will pick apart. We don't use any of these — not because they sound bad, but because using them honestly requires implementation we don't ship today.
- Not "2FA". Two-factor authentication is a second factor for authenticating to a service. We have one factor for authentication (Google OAuth). The backup passcode is a separate, orthogonal concern — it controls data-at-rest decryption, not identity verification.
- Not "end-to-end encrypted" (yet). E2EE means data is encrypted client-side before it ever reaches our servers. We don't sync document content to our servers at all in v1 (local-first), so the E2EE claim is technically vacuous for us today.
- Not "zero-knowledge" (in the cryptographic sense). Zero-knowledge has a specific technical meaning in proof systems. We can honestly say we cannot decrypt your backup content — but "zero-knowledge" without qualification is jargon misuse.
- Not "military-grade". Empty marketing phrase. We use AES-256-GCM + Argon2id + BIP39 — name the primitives if pressed, don't dress them up.
Verify these claims yourself
Every claim on this page maps to verifiable code or a runnable test. The pen-test harness in our security repo runs an attack suite against the app where each test PASSES when the attack fails (the defense held) and FAILS when the attack succeeds (a regression). Greppable output, meaningful exit codes, designed to be a release block when something breaks.
If you're evaluating Folderless for a security-conscious context and want the full audit trail (architecture decisions, threat model, what we considered and rejected), email [email protected] and we'll send the canonical assessment doc.
What's next (v1.1+)
v1 ships the two layers above and nothing more. Roadmap items we've designed but not yet shipped:
- v1.1 — Source-file at-rest encryption (your PDFs encrypted on disk using the same passcode-derived key)
- v1.1 — Per-document "extra lock" with envelope encryption (sensitive documents get their own key wrapped by the master)
- v1.2+ — Touch ID quick-unlock for backup creation
Each future item will appear on this page with the same honest framing once it actually ships. No promises in marketing for things that don't exist in code.