Athar gives every account its own encryption key, created the moment you start. Your chats and documents are encrypted at rest under that key and isolated from every other account — here's exactly how the protocol works.
The protocol
The first time you sign in, Athar generates a 256-bit Data Encryption Key (DEK) unique to your account. You see a fingerprint of it during onboarding — a short identifier, never the key itself.
Your DEK is never stored in the clear. It is envelope-wrapped (AES-256-GCM) by a master key held in the application's secret store, so a database snapshot alone can never reveal it.
Chats, documents, and derived artifacts are encrypted at rest under your account's DEK. Decryption happens only inside the application, only to serve your authenticated requests.
What the protocol guarantees
Every account has its own DEK. One account's content is never readable under another account's key — isolation is enforced at the cryptographic layer, not just by access rules.
Your DEK is wrapped by a master key in a managed secret store. Rotating the master key re-wraps every DEK without touching the underlying ciphertext.
Conversations and uploaded documents are encrypted with AES-256 before they hit disk, so backups and storage snapshots are ciphertext.
All traffic between your browser and Athar is protected with TLS. Data is never transmitted in the clear, end to end of the request.
Your key has a stable fingerprint you can view anytime under Account → Encryption — a way to confirm the key tied to your account hasn't silently changed.
The envelope design lets keys be rotated and access revoked without re-encrypting your entire history — security maintenance stays invisible to you.
What's encrypted
Athar is a working legal assistant, so the application decrypts your content in memory to retrieve sources, ground answers, and build memory for you. This is envelope encryption with strict isolation — not zero-knowledge. We protect your data at rest and in transit, limit and audit internal access, and never train on your content without explicit consent.
Read our full security commitmentsGrounded answers, encrypted and isolated, with your confidentiality intact.