Tenths implements true end-to-end encryption. Your time entries, client names,
and billing data are encrypted on your device before syncing.
We cannot read your data — by design.
Four steps from your device to secure sync
A unique P256 elliptic curve key pair is generated on your device during first launch. Your private key never leaves your device.
All sensitive data — clients, matters, entries, notes — is encrypted using ChaCha20-Poly1305 with a symmetric key derived from your key pair.
Only encrypted data (ciphertext) leaves your device. iCloud stores encrypted blobs. Our servers never see plaintext.
A 12-word seed phrase allows you to recover your encryption keys if you switch devices. Store it securely — it's the only way to decrypt your data.
Zero-Knowledge Architecture: Because encryption happens on your device with keys only you control, we have no technical ability to read your data. This isn't a policy choice — it's a cryptographic guarantee.
Industry-standard cryptography you can verify
ECDH with P-256 (secp256r1)
NIST-approved elliptic curve for key exchange. 256-bit security level equivalent to 3072-bit RSA. Used by TLS 1.3, Signal, and Apple's iMessage.
ChaCha20-Poly1305
AEAD cipher providing both confidentiality and authenticity. Designed by Daniel J. Bernstein. Faster than AES on devices without hardware acceleration.
HKDF with SHA-256
HMAC-based Key Derivation Function as specified in RFC 5869. Derives multiple cryptographic keys from a single shared secret with domain separation.
32-byte random per encryption
Each piece of data is encrypted with a unique random salt from the system's cryptographically secure random number generator (SecRandomCopyBytes).
iOS Keychain (Secure Enclave)
Private keys are stored in the iOS Keychain, protected by the Secure Enclave on supported devices. Keys are tied to your device and biometric authentication.
BIP-39 Compatible 12-word Mnemonic
Your key can be backed up as a 12-word phrase using industry-standard word lists. Compatible with hardware wallet recovery flows.
// 1. Generate device key pair on first launch
let privateKey = P256.KeyAgreement.PrivateKey()
let publicKey = privateKey.publicKey
// 2. Derive shared secret for encryption
let sharedSecret = try privateKey.sharedSecretFromKeyAgreement(
with: groupPublicKey
)
// 3. Derive symmetric key using HKDF
let symmetricKey = sharedSecret.hkdfDerivedSymmetricKey(
using: SHA256.self,
salt: salt,
sharedInfo: "tenths.encryption.v1".data,
outputByteCount: 32
)
// 4. Encrypt data with ChaCha20-Poly1305
let sealedBox = try ChaChaPoly.seal(plaintext, using: symmetricKey)
// 5. Store only ciphertext + nonce + tag
let encryptedData = sealedBox.combined
Attorney-client privilege extends to billing records. The names of clients, descriptions of matters, and details of legal work are all protected information. Time tracking data can reveal sensitive details about ongoing legal matters.
Tenths ensures this data remains confidential — not just from bad actors, but from everyone, including us. Your billing records are encrypted with keys only you control. Even if our servers were compromised, attackers would find only encrypted data they cannot decrypt.
End-to-end encryption helps meet data protection requirements under GDPR, CCPA, and bar association ethics rules. When clients ask how you protect their data, you can point to cryptographic guarantees — not just privacy policies.
We believe privacy should be a technical guarantee, not a marketing promise. Tenths is built so that protecting your data isn't a choice we make — it's the only option the architecture allows.
Your data stays yours. Always.