CryptPad

End-to-end encrypted collaborative office suite — docs, spreadsheets, slides, forms, kanban, whiteboard. The server never sees your content.

Writing & notes

Open source

Strong

https://cryptpad.org · Reviewed 2026-04-02 · Editorial assessment by Mike Schneider — based on public security research and audits

What should journalists know about CryptPad?

CryptPad is what Google Docs would be if Google couldn't read your documents. Zero-knowledge encryption means the server operator cannot access your content — period. The cryptographic keys live in document URLs, never on the server. XWiki SAS (France) builds it with EU funding, and it ships under AGPL. The 2026.2.0 release upgraded to OnlyOffice 9 for office-format editing, and the team completed post-quantum cryptography research using ML-KEM and ML-DSA. Performance is slower than Google Docs — encryption has a cost — and there's no offline mode or mobile app. But for sensitive collaborative work, nothing open-source comes close. Revenue hit 608K euros in 2025 with 1,540 paying accounts on cryptpad.fr, up 60% year-over-year. The project is real, funded, and growing.

Best for

Collaborative editing on sensitive stories where content must stay private. Shared notes and source documents where you can't trust the cloud provider. Encrypted forms for confidential surveys or tip lines. Quick anonymous collaboration — no registration required for pad access.

Not for

Heavy formatting or complex spreadsheet work (OnlyOffice integration helps but still lags Google Sheets). Teams deeply embedded in Google/Microsoft ecosystems who won't switch. Anyone who needs offline access or native mobile apps. Long-term archival — export regularly.

Security & Privacy

Encryption in transit Yes

Data is scrambled while being sent to their servers

Encryption at rest Yes

Data is scrambled when stored on their servers

Data jurisdiction cryptpad.fr hosted in France (EU/GDPR). Self-hosted instances: your jurisdiction. Enterprise cloud instances available in EU. No data leaves the EU on the flagship instance.

Where servers are located — affects which governments can request your data

Security rating Strong

Zero-knowledge architecture — the server never sees plaintext content. No tracking, no analytics on the open-source version. Account registration requires only a username and password, no email. Cryptographic keys derived client-side from credentials; the server never sees your password. The United Nations used CryptPad Forms for open-source principles endorsements — that's the trust level.

How to protect yourself:

Use cryptpad.fr for EU-hosted, GDPR-compliant collaboration. Self-host for full control (Docker images available, now Alpine-based). Share documents via links with passwords for additional access control. Export regularly — CryptPad is not a long-term archival solution. Enable 2FA on your account (added in 2024). Note: once you share a document link, you cannot revoke access without destroying the original and creating a copy — plan sharing carefully. If you lose your username and password, there is no account recovery. Write them down.

Zero-knowledge end-to-end encryption by default — the server never sees plaintext. Open-source (AGPL), auditable code on GitHub. EU-funded, French-hosted under GDPR. Post-quantum cryptography research completed (ML-KEM, ML-DSA) with crypto-agility refactor for easy algorithm switching. Two vulnerabilities disclosed and patched in 2025 (2FA bypass and sandboxed XSS). No full third-party audit published, which is the one gap. The architecture is sound; the disclosure process is transparent.

Who Owns This

Owner XWiki SAS (French company, est. 2004). CryptPad team is ~9 FTE as of 2026.

Funding EU research grants (NGI Zero Commons Fund, NLnet/NGI ASSURE, BPI France), XWiki SAS revenue, subscriptions (121K euros in 2025, +60% YoY), donations (29K euros, +80% YoY), enterprise contracts (41.5K euros). Total 2025 revenue: 608K euros. The ELFA project (3-year, starting H2 2026) brings additional EU funding. Team estimates needing 400K euros in subscriptions and donations by 2027 to be self-sustaining without research grants.

Business model Freemium hosted instance at cryptpad.fr (1GB free, paid plans from 5 euros/month). Enterprise on-premise or cloud from 3,000 euros/year. 50% nonprofit/education discount. Self-hosting is free under AGPL. 1,540 paying accounts as of January 2026.

Known issues

2FA bypass vulnerability (GHSA-xq5x-wgcm-3p33, high severity) and XSS in link bouncer (GHSA-vq9h-x3gr-v8rj, low-medium) found by Lachlan Davidson of Carapace in version 2024.12.0 — both fixed in 2025.3.0. No comprehensive third-party security audit has been published. Sharing is irrevocable: document URLs contain decryption keys, so anyone with the link has permanent access unless you destroy and recreate the document. No offline mode — browser-only, no desktop or mobile apps. Performance noticeably slower than Google Docs due to client-side encryption overhead. French tax law changes in 2025 eliminated 37K euros in subsidies, adding pressure to the sustainability model. Only ~50% of revenue is reliably recurring.

Pricing

Free (1GB) on cryptpad.fr. Individual paid plans 5-100 euros/month for more storage. Enterprise: 3,000-25,000 euros/year (50-1,000 users, 100GB-1TB). Nonprofits and education get 50% off enterprise tiers.

This is an editorial assessment based on publicly available information as of 2026-04-02, using our published methodology. Independent security review is pending. Security posture can change at any time. This is not a guarantee of safety.

Something wrong or outdated? Report it.