We can't see your data.
Even if we wanted to.
Cayo is built on a hybrid encryption model executed exclusively on the client-side. Your Master Password never leaves your device.
Client Side
Encryption happens here.
AES-256 + RSA
Supabase DB
Stores only gibberish.
No keys stored.
Cryptographic Primitives
Your Master Password is processed through 100,000 iterations of HMAC-SHA256 with a unique salt to derive your encryption key. We never see the password.
Your actual data (passwords, notes) is encrypted using AES-256. This is the industry standard for securing top-secret information.
We generate a Public/Private key pair. The Public key is used by family members to securely share the Group Key with you without exchanging secrets.
The server acts as a blind storage. It receives encrypted blobs and serves them back. It mathematically cannot decrypt the content.
Using a Zustand stateful timer, the app automatically wipes decrypted keys from the RAM after 15 minutes of inactivity.
Row Level Security (RLS) policies enforce that only authenticated users can even retrieve the encrypted blobs intended for them.
Modern Stack.
Maximum Performance.
Security shouldn't mean slow. Cayo is built with the latest frontend technologies to ensure instant decryption and smooth interactions.
- Next.js 15 (App Router & Server Components)
- Zustand Multi-store State Management
- Request Deduplication & Intelligent Caching
- Radix UI for 100% Accessibility
Ready to audit the code?
Cayo is open-source. Trust, but verify.