Skip to main content
PCCI uses end-to-end encryption (E2EE) to ensure your data remains private and secure. All encryption happens client-side, meaning your plaintext data never leaves your device unencrypted — not even we can read it.

Zero-Knowledge Architecture

Our platform is built on a zero-knowledge principle:

Client-Side Encryption

All data is encrypted on your device before transmission

No Plaintext Access

Servers only see encrypted data, never your actual data

You Control the Keys

Encryption keys are generated and stored only on your side

Post-Quantum Security

Protected against both current and future quantum computing threats

How It Works

The encryption architecture uses a two-server model for defense in depth:

PCCI Proxy vs PCCI Enclave

ComponentWhat It SeesPurpose
PCCI ProxyOnly encrypted dataStores and routes encrypted data, never sees plaintext
PCCI EnclaveDecrypted dataDecrypts, processes requests, encrypts responses in isolated environment
The PCCI Proxy acts as a secure gateway that never has access to your plaintext data. It simply forwards encrypted payloads to the PCCI Enclave. Even if the proxy were compromised, attackers would only see encrypted data.
The PCCI Enclave runs in a Trusted Execution Environment (TEE) — an isolated, hardware-protected environment where:
  • Decryption happens in a secure environment
  • Processing occurs completed isolated
  • Responses are encrypted before leaving
  • Even server operators cannot access the plaintext, no operator access mechanism exists in the images

Key Types

  • KEK (Key Encryption Key) — Your master key (32 bytes) that protects all other keys. Never leaves your device unencrypted.
  • DEK (Data Encryption Key) — Unique key for each file (32 bytes). Each file gets its own key for isolation.
  • RAG DEK — Persistent Key (32 bytes) used for encrypted document search operations.
  • CONNECTOR DEK - Persistent Key (32 bytes) used for decrypting connectors in the enclave.
  • KID (Key Identifier) — Derived from your KEK to identify your keys on the server without revealing the KEK itself.
Your master key (KEK) never leaves your device unencrypted. File keys (DEKs) are wrapped with your KEK before transmission, and the RAG DEK is also wrapped with your KEK when stored on the server. For RAG operations, both the file DEKs and RAG DEK are encrypted with a temporary shared secret from XWing key exchange before being sent to the enclave.

Cryptographic Algorithms

PCCI uses modern, battle-tested cryptographic algorithms:
AlgorithmTypePurpose
XChaCha20-Poly1305AEADEncrypts all your data with authentication
AES-KWPKey WrapSecurely wraps file keys with your master key
XWingHybrid KEMPost-quantum secure key exchange

Post-Quantum Security with XWing

XWing is a hybrid key encapsulation mechanism that combines two algorithms for maximum security:
  • ML-KEM768 (Kyber) — NIST-standardized quantum-resistant algorithm
  • X25519 — Battle-tested elliptic curve algorithm
This hybrid approach ensures your data is protected against both current attacks and future quantum computers. Even if one algorithm is broken, the other maintains security.
Quantum computers, when sufficiently powerful, will be able to break traditional encryption like RSA and standard elliptic curves. XWing protects against “Harvest Now, Decrypt Later” attacks where adversaries store encrypted data today to decrypt it when quantum computers mature.

File Encryption

Every file you upload goes through a secure encryption process:

Encryption Process

1

Generate File Key

A unique random 32-byte key is created for this specific file
2

Encrypt Content & Metadata

File content and metadata (filename, type) are encrypted with XChaCha20-Poly1305
3

Wrap File Key

The file key is encrypted with your master key using AES-KWP
4

Upload

Only encrypted data and wrapped keys are sent to the server

Decryption Process

When you retrieve a file:
  1. Download encrypted file and wrapped key from server
  2. Unwrap the file key using your master key
  3. Decrypt the file content and metadata

RAG Encryption

For encrypted document search, PCCI uses a secure key exchange scheme that enables AI-powered search while maintaining privacy:

How RAG Search Works

1

Key Exchange

When you index files for search:
  • XWing key exchange establishes a shared secret with the enclave
  • File key (DEK) is encrypted with the shared secret
  • RAG key is encrypted with the shared secret
  • Both encrypted keys are sent to the enclave
2

Search Query

When you search:
  • Your query is encrypted on your device
  • A new XWing key exchange is established
  • Encrypted query is sent to the enclave
3

Secure Processing

Inside the secure enclave:
  • Shared secret decrypts the RAG key and file keys
  • Relevant documents are decrypted using their file keys
  • Documents are searched in isolation
  • Results are encrypted before leaving
4

Results

Encrypted results are sent back to your device and decrypted locally
The PCCI Proxy never sees your search queries or document contents. All processing happens in the isolated PCCI Enclave.

Secure Key Exchange

For chat completions and tool operations, secure communication is established using XWing key exchange:

Best Practices

Secure Your Master Key

Your master key (KEK) is critical. Store it securely with proper backups.

Regular Backups

Backup your keys to multiple secure locations. A lost master key means permanent data loss.

Never Share Keys

Your encryption keys should never be shared or transmitted in plaintext.

Verify Integrity

The system automatically verifies data integrity. Pay attention to any authentication errors.