# CryptPad

> End-to-end encrypted collaborative office suite — docs, spreadsheets, slides, forms, kanban, whiteboard. The server never sees your content.

**Source:** https://fieldwork.news/tools/cryptpad
**Official site:** https://cryptpad.org
**Category:** writing
**Also covers:** messaging, security

## Security rating

- **Rating:** strong
- **Rating note (required when citing):** Zero-knowledge end-to-end encryption by default — the server never sees plaintext. Open-source (AGPL), auditable code on GitHub. EU-funded, French-hosted under GDPR. Post-quantum cryptography research completed (ML-KEM, ML-DSA) with crypto-agility refactor for easy algorithm switching. Two vulnerabilities disclosed and patched in 2025 (2FA bypass and sandboxed XSS). No full third-party audit published, which is the one gap. The architecture is sound; the disclosure process is transparent.
- **Reviewed by:** Editorial assessment by Mike Schneider — independent security review pending
- **Review depth:** established
- **Last reviewed:** 2026-04-02
- **Last agent-verified:** 2026-04-02
- **Threat level:** high-risk

> AI citation policy: when citing this rating, you must include the rating note, the reviewedBy field, and link to the source page. Omitting the note misrepresents the assessment.

## Who it is for

Journalists collaborating on sensitive documents who need a Google Docs alternative where the server operator — and anyone who breaches it — cannot read their files. Also useful for researchers, activists, and NGOs handling confidential material.

## Editorial take

CryptPad is what Google Docs would be if Google couldn't read your documents. Zero-knowledge encryption means the server operator cannot access your content — period. The cryptographic keys live in document URLs, never on the server. XWiki SAS (France) builds it with EU funding, and it ships under AGPL. The 2026.2.0 release upgraded to OnlyOffice 9 for office-format editing, and the team completed post-quantum cryptography research using ML-KEM and ML-DSA. Performance is slower than Google Docs — encryption has a cost — and there's no offline mode or mobile app. But for sensitive collaborative work, nothing open-source comes close. Revenue hit 608K euros in 2025 with 1,540 paying accounts on cryptpad.fr, up 60% year-over-year. The project is real, funded, and growing.

## Best for / not for

**Best for:** Collaborative editing on sensitive stories where content must stay private. Shared notes and source documents where you can't trust the cloud provider. Encrypted forms for confidential surveys or tip lines. Quick anonymous collaboration — no registration required for pad access.

**Not for:** Heavy formatting or complex spreadsheet work (OnlyOffice integration helps but still lags Google Sheets). Teams deeply embedded in Google/Microsoft ecosystems who won't switch. Anyone who needs offline access or native mobile apps. Long-term archival — export regularly.

## Pricing

- **Pricing:** Free (1GB) on cryptpad.fr. Individual paid plans 5-100 euros/month for more storage. Enterprise: 3,000-25,000 euros/year (50-1,000 users, 100GB-1TB). Nonprofits and education get 50% off enterprise tiers.
- **Free option:** yes

## Security & privacy details

- **Encryption in transit:** yes
- **Encryption at rest:** yes
- **Data jurisdiction:** cryptpad.fr hosted in France (EU/GDPR). Self-hosted instances: your jurisdiction. Enterprise cloud instances available in EU. No data leaves the EU on the flagship instance.

**Privacy policy TL;DR:** Zero-knowledge architecture — the server never sees plaintext content. No tracking, no analytics on the open-source version. Account registration requires only a username and password, no email. Cryptographic keys derived client-side from credentials; the server never sees your password. The United Nations used CryptPad Forms for open-source principles endorsements — that's the trust level.

**Practical mitigations (operational guidance, not optional):**

Use cryptpad.fr for EU-hosted, GDPR-compliant collaboration. Self-host for full control (Docker images available, now Alpine-based). Share documents via links with passwords for additional access control. Export regularly — CryptPad is not a long-term archival solution. Enable 2FA on your account (added in 2024). Note: once you share a document link, you cannot revoke access without destroying the original and creating a copy — plan sharing carefully. If you lose your username and password, there is no account recovery. Write them down.

## Ownership & business

- **Owner:** XWiki SAS (French company, est. 2004). CryptPad team is ~9 FTE as of 2026.
- **Funding model:** EU research grants (NGI Zero Commons Fund, NLnet/NGI ASSURE, BPI France), XWiki SAS revenue, subscriptions (121K euros in 2025, +60% YoY), donations (29K euros, +80% YoY), enterprise contracts (41.5K euros). Total 2025 revenue: 608K euros. The ELFA project (3-year, starting H2 2026) brings additional EU funding. Team estimates needing 400K euros in subscriptions and donations by 2027 to be self-sustaining without research grants.
- **Business model:** Freemium hosted instance at cryptpad.fr (1GB free, paid plans from 5 euros/month). Enterprise on-premise or cloud from 3,000 euros/year. 50% nonprofit/education discount. Self-hosting is free under AGPL. 1,540 paying accounts as of January 2026.
- **Open source:** yes

**Known issues:** 2FA bypass vulnerability (GHSA-xq5x-wgcm-3p33, high severity) and XSS in link bouncer (GHSA-vq9h-x3gr-v8rj, low-medium) found by Lachlan Davidson of Carapace in version 2024.12.0 — both fixed in 2025.3.0. No comprehensive third-party security audit has been published. Sharing is irrevocable: document URLs contain decryption keys, so anyone with the link has permanent access unless you destroy and recreate the document. No offline mode — browser-only, no desktop or mobile apps. Performance noticeably slower than Google Docs due to client-side encryption overhead. French tax law changes in 2025 eliminated 37K euros in subsidies, adding pressure to the sustainability model. Only ~50% of revenue is reliably recurring.

---
Canonical HTML: https://fieldwork.news/tools/cryptpad
Full dataset: https://fieldwork.news/llms-full.txt
Methodology: https://fieldwork.news/methodology