Key takeaways
- A subpoena to Inktally yields only encrypted blobs — we are technically unable to produce plaintext
- Metadata (email addresses, vault sizes, access timestamps) may be disclosable, but vault content is not
- Zero-knowledge is a structural legal shield: you cannot hand over what you do not possess
- We commit to publishing a transparency report for any compelled disclosures we receive
We get asked this question directly and honestly, so we answer it directly and honestly. If a government serves Inktally with a valid legal demand for a user's data, here is what we can hand over — and here is what we cannot.
What we can produce
A subpoena would yield, for any given account: the account's email address, the date it was created, the IP addresses used to sign in (within our log retention window), the auth verifier (a one-way hash — see below), encrypted vault content (ciphertext), and audit log entries that describe the account's activity history without revealing content.
We can also produce metadata: how many documents and notes exist, their sizes, when they were last modified, and who has been designated as a recipient or recovery contact (names and email addresses only).
What we cannot produce
We cannot produce: the plaintext contents of any document or note, the master key or any data key, or anything that would allow a third party to decrypt the vault. In zero-knowledge mode, these simply do not exist on our servers. The auth verifier is a hash derived from the master key; inverting it requires breaking SHA-256, which is computationally infeasible.
A government order compelling us to produce plaintext would be asking us to produce something we do not have. We cannot comply with such an order, not because we refuse to, but because the data does not exist in our systems.
See this in practice.
Your vault is encrypted before it leaves your device. Inktally never sees your keys.
Try Inktally freeThe server-side mode difference
In server-side mode, we hold a master key protected by a hardware security module. A court order compelling us to decrypt and produce a user's vault content would be feasible to comply with, because in this mode we do hold the necessary keys. We are transparent about this in the product: server-side mode does not offer the same legal protection as zero-knowledge mode, and we say so explicitly.
Our legal process policy
We notify users when we receive a legal demand for their data, unless we are legally prohibited from doing so (e.g., under a gag order). We challenge overly broad demands. We publish a transparency report annually. We do not cooperate with informal law enforcement requests that lack proper legal process.
All of this is the policy layer. The architecture layer — zero-knowledge encryption — is the guarantee that matters when policy and law are insufficient. We build both because they serve different adversaries.
