Client-side encryption
Files are encrypted locally before they leave the device. PhotonFile stores encrypted data, but is not intended to have the keys needed to decrypt vault contents.
Secure, client-side encrypted storage for files you want to keep
Photon Vault is secure storage built for long-term protection, private collaboration, and controlled sharing. Files are encrypted on your device before upload, PhotonFile stores encrypted data, and authorized clients decrypt later.
Natural security boundaries
Each vault acts as its own security boundary, making it easy to separate work by project, client, team, organization, or sensitivity level.
Collaboration without server-side plaintext
Shared vaults, scoped sharing, and Secure Inbox are designed so that collaboration can happen without turning the server into the place where plaintext files live.
Built for privacy without added complexity
Photon Vault gives individuals and teams a secure place to store files, share access, and collect uploads without managing complex security infrastructure.
With Vault, you can store files in encrypted vaults, create clear security boundaries, collaborate in shared vaults, share specific files or folders with scoped links, collect files through Secure Inbox, and keep older versions when files are updated.
Client-side encryption by default
Before a file is uploaded to Photon Vault, it is encrypted locally on the client. Encrypted data is then transferred and stored in PhotonFile infrastructure as encrypted blobs.
- Files are encrypted before leaving the device
- Data remains encrypted during transfer and storage
- Only authorized clients can decrypt vault contents
- PhotonFile cannot read the contents of vault files
Post-quantum-ready key management
Photon Vault is built with a post-quantum-ready key management model designed for long-lived encrypted storage. Public-key operations used for protected access flows are built around modern post-quantum cryptography, while file data remains protected with strong client-side authenticated encryption.
For users, that means Vault is designed not only for today's security requirements, but also for long-term protection of sensitive data.
Secure collaboration
Teams can work together inside shared vaults without exposing file contents to the server. Authorized members access vault contents through their own approved clients.
Scoped sharing
Share links can be limited to the specific files or folders being shared and can be protected with options such as expiration, revocation, and usage limits.
Secure Inbox
Vault owners can receive files from external users without giving them access to existing vault contents. This is useful for client submissions, evidence collection, intake flows, and secure document requests.
Versioning
When a file is uploaded again at the same path, Vault stores a new version instead of overwriting the old one. This helps protect against accidental replacement and gives users more control over changes over time.
What PhotonFile can and cannot see
PhotonFile cannot see
- The plaintext contents of files stored in a vault
- The keys required to decrypt vault files
- The plaintext contents of uploaded vault data
PhotonFile can see limited service metadata
- Account and service information needed to operate the service
- Vault and object identifiers
- File sizes and transfer activity
- Share-link and upload events
Need more detail?
Read the public technical security overview for a deeper explanation of key hierarchy, post-quantum-ready design goals, chunk encryption, scoped sharing, and Secure Inbox security posture.