Data Isolation Protocol

The article is an explanation of our data isolation protocol.

1. Your data, no matter the encrypted copy or the plain text, won't be sent to anywhere outside your device, except iCloud and Dropbox if the sync is on.
2. The data on the local storage or third-party cloud storage is always encrypted. It can be decrypted with your master password only.
3. If auto-unlock is on, a copy of your master key will be saved in the system keychain service. The keychain service is protected by macOS / iOS itself. The master password and key won't be synced.
4. iCloud sync is handled by the iOS / macOS system itself. Dropbox sync is manipulated by the official Dropbox SDK.
5. Elpass doesn't contain any third-party tracking or advertising code.
6. Elpass only initiates network requests when necessary. A detailed list is below.

All Possible Network Requests

• When you launch Elpass, pay for a subscription, restore a subscription, or every 24 hours since launching, a few API requests are sent to our API server to confirm your subscription status. Our API server is located at https://api.elpass.app. 

  These requests may contain the following information for subscription management and anti-fraud purposes: device name, device model, OS version, Elpass version, non-reversible hashed hardware ID, payment receipt data from Apple.

• After adding a login item, Elpass will fetch the icon of the website. Multiple requests might be sent to the domain of the item. All the requests are anonymous and without any user data.
• If you turn on the 'Automatically check for updates' option, Elpass Mac will request the update information in https://elpass.app/macos/appcast.xml (or https://elpass.app/macos/appcast-beta.xml for beta channel). These requests are anonymous.
• We intentionally let these requests vulnerable to MitM. So you or a security specialist may inspect the requests to confirm that no sensitive data is sent.
• If Dropbox sync is on, the Dropbox SDK sends HTTPS requests to dropboxapi.com and dropbox.com.
• Elpass uses crash report SDKs: App Center (old versions), a product by Microsoft, or bugsnag (new versions). If Elpass quits unexpectedly, an anonymous crash report may be sent to Microsoft or bugsnag's servers. You may turn off the feature.