Orange Way Books uses Argon2id (memory-hard) for key derivation, AES-GCM for authenticated field encryption, and per-organization envelope encryption so each member's wrapped DEK is never visible to anyone else. ML-DSA-65 post-quantum signing keys protect organization-level signatures. Wrong vault password cannot decrypt — there is no server-side hash check. Key rotation (rekey) rotates DEK and signing-key versions across all rows with rollback. The server only ever sees ciphertext.
Visit: Features · Security · Pricing · FAQ · Compare · Docs