Your master key is born in your browser.
We only store encrypted blobs.
Even we cannot decrypt your data.
Your credentials are encrypted end-to-end. The server never sees plaintext.
Your browser generates a 256-bit master key. It never leaves your device.
Only the SHA-256 fingerprint goes to us, for verification. We never see the key.
The master key stays in your browser, encrypted with a password-derived key (PBKDF2, 600,000 iterations).
Your API keys are encrypted with AES-256-GCM using your master key before reaching our server.
On each request, the master key is sent in a header. The server decrypts, forwards, forgets (<200ms).
We openly state what our architecture protects against, and what it does not. Most vendors never tell you this.
If our server is compromised, attackers find only encrypted blobs with no key.
The connectors.hu team cannot decrypt your data. Zero-knowledge by design.
HTTPS plus client-side encryption. Two layers of protection.
If malware is on your machine, the master key can be extracted. Use endpoint protection.
If you lose your master key, we CANNOT recover it. This is the cost of zero-knowledge.
If an attacker gains root access to the Supabase infrastructure, runtime memory is accessible.
Our architecture is auditable. Request the technical documentation if you need it.
All data is stored in the Frankfurt region (eu-central-1).
Data minimization: no personal data stored in plaintext beyond your email address.
Our architecture follows SOC2 principles. Formal audit planned.