Evaluation Methodology
How we evaluate tools. Published so anyone can reproduce our assessments.
What we evaluate
Every tool is assessed across three dimensions:
1. Security posture
- Encryption: Does the tool encrypt data in transit (HTTPS/TLS) and at rest? We check both.
- Data jurisdiction: Where are servers located? This matters for journalists in or covering certain countries.
- Data retention: How long does the tool keep your data? Can you delete it?
- Privacy policy: We read the full policy and summarize in plain language what it actually says about your data.
- Authentication: Does it support 2FA, passkeys, or other strong authentication?
- Audit history: Has the tool been independently audited? By whom?
2. Ownership and trust
- Who owns it: Parent company, corporate structure, acquisition history.
- Funding: VC-backed, bootstrapped, nonprofit, government-funded.
- Business model: How do they actually make money? If it's free, why?
- Track record: Any security incidents, controversies, or journalist-hostile actions.
3. Practical value
- What it does: Clear description of functionality.
- Pricing: Actual numbers, not "contact sales."
- Journalist programs: Any free or discounted access for journalists.
- Practical mitigations: If the tool has security concerns, how can you use it more safely?
Security ratings
Each tool receives one of four ratings:
Strong
Robust encryption, minimal data retention, independent audits, transparent ownership. Recommended for all threat levels.
Adequate
Reasonable security practices for standard journalism work. May have some limitations for sensitive reporting.
Caution
Functional tool but with notable security or privacy concerns journalists should understand before using. Use with awareness.
Warning
Significant security, privacy, or trust issues. Not recommended for journalism work involving any sensitive material.
What we don't do
- We don't guarantee safety. Security posture changes. Our assessments are snapshots.
- We don't accept payment for favorable reviews.
- We don't do penetration testing or code audits. We evaluate publicly available information, policies, and documented practices.
How to challenge an assessment
If you believe an evaluation contains an error — whether you're a journalist, a tool maker, or anyone else — submit a correction. We respond to factual corrections within 7 days.