What is zero-access encryption?
Zero-access encryption protects your data stored in the cloud in a way that prevents the service provider and any third parties from accessing its contents.
Find out how it works, how it’s different from end-to-end encryption, and how it can keep your data safe from advertisers, data brokers, AI systems, unauthorized access, breaches, or government requests.
How does zero-access encryption work?
Zero-access encryption relies on asymmetric (public-key) cryptography, where data is encrypted with your public key and can only be decrypted using your private key, which you alone control.
Because the server does not have your private key, the service provider cannot read your stored data. When you access it, the encrypted content is retrieved and decrypted locally on your device.
For example, Lumo, our private AI assistant(new window), uses zero-access encryption: your conversations are encrypted on your device before being stored on Proton’s servers, and only you can decrypt them. Proton stores the encrypted data but cannot access or recover it.
What's the difference between zero-access encryption and end-to-end encryption?
Zero-access encryption protects data after it reaches the service by encrypting it so that only the user can decrypt it, even though the service may briefly access the data before encryption.
End-to-end encryption (E2EE) protects data before it ever reaches the service by encrypting it on the sender’s device, ensuring that only the sender and intended recipient can read it.
While both prevent third-party access and protect against data breaches, E2EE offers stronger privacy guarantees because the service provider never sees the unencrypted data at any point.
For instance, when an email is sent from Gmail to Proton Mail, Proton's servers can briefly read the message because Gmail doesn't use end-to-end encryption. Proton then encrypts the email using the recipient's public key, after which only the recipient can decrypt it and Proton no longer has access.
Why do you need zero-access encryption?
Most Big Tech companies, like Google and Yahoo, don’t use zero-access encryption. That means they can read your messages, files, and other data once stored on their servers. Here's how zero-access encryption can protect your data:
You’re protected from ads and profiling
Big Tech companies support their ad-based business models by selling your information to data brokers and marketers who build detailed profiles your online habits. With zero-access encryption, the service provider cannot see, process, or share your data with third parties, because access to your data is technically impossible. You stay in control of your personal information at all times.
Breaches won't expose your data
If the service provider’s servers are ever breached, zero-access encryption ensures that stolen databases are nothing more than unreadable ciphertext. Even if attackers gain full access to servers or backups, your data remains protected.
You can't be compelled to give up your privacy
In the event of government or legal requests, a service providing zero-access encryption by default (like Proton) can protect your privacy because it has no data to hand over in the first place. This protection applies regardless of current laws, future legal changes, or political climate.
Take charge of your data
Proton was built to protect your data from the start. With zero-access encryption, open-source apps, and independent audits, your information stays yours.
Emails stored in Proton Mail are protected with zero-access encryption, so we can't read your message content or attachments once they are encrypted.
If messages aren't end-to-end encrypted in transit, they are encrypted after receipt, so only you can access them.
Calendar events you store are protected with zero-access encryption, including titles, descriptions, locations, and guest lists.
Even when you share your schedule or send an invite, no one else — not even Proton — can see who it’s for.
Passwords, usernames, web addresses, notes, credit cards, identity details, and other data you store are protected with zero-access encryption.
When you share vaults, both the contents and the shared links are protected, so only the people you invite can see what’s inside
What you store and share in cloud storage is protected with zero-access encryption, including file contents, file names, folder names, thumbnail previews, and shared links.
Only you and the people you choose to share with can access your files — not even Proton can see them.
Learn more about encryption
