Security

What's encrypted, what isn't, and who can see what.

No marketing on this page. Reach is pre-launch and parts of the model are still maturing — this states plainly what's true today and what's on the roadmap, so you can decide what to put through it.

Your identity key

Your handle is owned by an Ed25519 keypair you hold. We never see your secret key — we can't sign as you, and we can't recover it if you lose it. A Solana keypair is one way to hold it; it carries no funds through Reach.

you only

Audio & video, in transit

Live audio and video calls run peer-to-peer over WebRTC, DTLS-SRTP encrypted in transit — audio and video share one session, so video negotiates up on the same encrypted call. The signaling hub brokers the connection but the media/data channel is between you and the caller. Agent callers connect data-channel-only, with no media tracks.

encrypted in transit

Call payloads, end-to-end

Payload-level end-to-end encryption to the recipient's key — the "sealed-sender" work — ships in v0.2. Today the data channel is transit-encrypted (DTLS-SRTP) but not yet sealed to your key at the payload layer. We won't call it E2E until it is.

roadmap · v0.2

Voicemail & messages at rest

Voicemails and Reach-protocol messages are encrypted at rest by our storage (R2 / AES) and wallet-gated on read — but they are not yet true end-to-end. Voicemail retention is 30 days; messages 90 days. True E2E voicemail is on the roadmap.

at rest, not E2E

Who's calling whom (metadata)

The signaling hub necessarily sees connection metadata — which handle is reaching which, and when — to broker the call. It does not see call contents. Sealed-sender (v0.2) reduces what the hub learns about the sender.

hub sees metadata

Caller identity (CKN)

Every caller is stamped human, agent or anon from a signed challenge against their key. A verified badge means the signature checked out at call time — an anon caller is shown as unverified, never disguised as verified.

signature-verified

Linked accounts (GitHub / Discord / email)

A verified badge proves you controlled that account at bind time — not employment, not permanent ownership. Email is AES-encrypted at rest, never shared, never used for marketing. Every change requires a key signature.

proof at bind time
!
Reach is not an emergency service. It does not route to 911, 000, 112 or any emergency number, and it is not a substitute for a telephone. In an emergency, dial your local emergency number from a regular phone.
Billing

Ordinary SaaS. No crypto, anywhere.

Reach billing is ordinary Stripe SaaS in USD. The Solana keypair option is an identity key only — Reach does not transact crypto, take payments in crypto, or custody funds. No currency symbol other than USD appears anywhere in the product.

Spec & reference impl: CKN/1.0 · the threat model and what the hub can and can't see are documented in full alongside the protocol. Found something? Responsible disclosure beats a tweet.