The article is an explanation of our data isolation protocol.
- Your data, no matter the encrypted copy or the plain text, won't be sent to anywhere outside your device, except iCloud and Dropbox if the sync is on.
- The data on the local storage or third-party cloud storage is always encrypted. It can be decrypted with your master password only.
- If auto-unlock is on, a copy of your master key will be saved in the system keychain service. The keychain service is protected by macOS / iOS itself. The master password and key won't be synced.
- iCloud sync is handled by the iOS / macOS system itself. Dropbox sync is manipulated by the official Dropbox SDK.
- Elpass doesn't contain any third-party tracking or advertising code.
- Elpass only initiates network requests when necessary. A detailed list is below.
All Possible Network Requests
When you launch Elpass, pay for a subscription, restore a subscription, or every 24 hours since launching, a few API requests are sent to our API server to confirm your subscription status. Our API server is located at https://api.elpass.app.
These requests may contain the following information for subscription management and anti-fraud purposes: device name, device model, OS version, Elpass version, non-reversible hashed hardware ID, payment receipt data from Apple.
- After adding a login item, Elpass will fetch the icon of the website. Multiple requests might be sent to the domain of the item. All the requests are anonymous.
- If you turn on the 'Automatically check for updates' option, Elpass Mac will request the update information in https://elpass.app/macos/appcast.xml (or https://elpass.app/macos/appcast-beta.xml for beta channel). These requests are anonymous.
- We intentionally let these requests vulnerable to MitM. So you or a security specialist may inspect the requests to confirm that no sensitive data is sent.
- If Dropbox sync is on, the Dropbox SDK sends HTTPS requests to dropboxapi.com and dropbox.com.
- Elpass uses crash report SDKs: App Center, a product by Microsoft, and bugsnag. If Elpass quits unexpectedly, an anonymous crash report may be sent to Microsoft or bugsnag's servers.