How Pastetory Keeps Your Data Secure
Your clipboard holds some of your most sensitive information — passwords, API keys, personal notes, code snippets. When we built Pastetory, we started with one principle: your data belongs to you, and only you should be able to read it.
Here's exactly how we make that happen.
Client-Side AES-256-GCM Encryption
Every piece of data stored in Pastetory is encrypted on your device before it ever leaves your browser. We use AES-256-GCM, the same encryption standard trusted by governments and financial institutions worldwide. The encryption and decryption happen entirely in your browser using the Web Crypto API — our servers never process your plaintext data.
AES-256-GCM provides both confidentiality and integrity. This means your data can't be read or tampered with, even if someone were to intercept it in transit or gain access to our storage systems.
Zero-Knowledge Architecture
Pastetory operates on a zero-knowledge model. This means our servers store only encrypted blobs — we have no ability to decrypt, read, or analyse your clipboard contents. We can't see what you've copied, and neither can anyone else who might gain access to our infrastructure.
If law enforcement or any third party were to request your data, all we could hand over is encrypted ciphertext that is meaningless without your passphrase.
Your Vault Passphrase Never Leaves Your Device
Your vault passphrase is the key to your encrypted data, and it is never transmitted to our servers. It stays on your device at all times. We derive your encryption key locally using your passphrase, which means there's no password database for attackers to target and no way for us to reset or recover your passphrase. You are the sole custodian of your data.
Encryption in Transit
All communication between your browser and our servers is protected by TLS (Transport Layer Security). This prevents anyone on your network — whether on public Wi-Fi or a corporate network — from eavesdropping on your connection. Combined with client-side encryption, your data has two independent layers of protection during transmission.
Encryption at Rest
Your encrypted data is stored on Amazon S3 with server-side encryption enabled. This adds a further layer of protection at the storage level, meaning even in the unlikely event of a physical breach of AWS infrastructure, your data remains encrypted. Of course, since the data is already encrypted client-side, this serves as defence in depth rather than a primary safeguard.
No Tracking Without Consent
We don't use analytics cookies, tracking pixels, or fingerprinting by default. If we do collect any anonymised usage data in the future, we'll ask for your explicit consent first. Your clipboard history is not mined for advertising, profiling, or any other purpose. We make money by providing a useful product, not by selling your data.
GDPR Compliant and UK-Based
Pastetory is a UK-based service, fully compliant with the UK GDPR and Data Protection Act 2018. You have the right to access, export, and delete your data at any time. We process only the minimum data necessary to provide the service, and we are transparent about what we store and why.
Being UK-based means we operate under one of the world's strongest data protection frameworks, giving you legal protections on top of our technical safeguards.
Security Is Not an Afterthought
We designed Pastetory so that even in a worst-case scenario — a full server compromise — your clipboard data remains private. That's the power of client-side encryption combined with zero-knowledge architecture. Your secrets stay yours.
Have questions about our security practices? Get in touch at pastetory@gmail.com.