OWL Product Security Information
How OWL protects your data, how to use and operate it securely, and how long it is supported. This page is provided as the user security information and instructions for the product, in line with the EU Cyber Resilience Act (CRA), Annex II.
1. Manufacturer & contact
- Manufacturer: NDEVR, LLC — 1300 W Morton St, Oakland City, IN 47660, USA · ndevr.org
- EU authorized representative: In progress — to be appointed before OWL is placed on the EU market (required because NDEVR is established outside the EU).
- Security / vulnerability contact: security@ndevr.org · /.well-known/security.txt
2. How to report a vulnerability
Report security issues to security@ndevr.org (PGP available). Our coordinated-disclosure policy, scope, and safe-harbor terms are at our disclosure policy. We acknowledge reports within 3 business days.
3. Intended purpose & security properties
OWL stores, syncs, shares, and lets you collaborate on files and messages with end-to-end, zero-knowledge encryption — the server holds only ciphertext it cannot read.
- Content encryption: AES-256, performed on your device before upload, with HMAC-SHA-256 integrity tags. (Authenticated AES-256-GCM is used for key wrapping and escrow — see cryptography.)
- Key wrapping: per-file and per-conversation keys are wrapped to your account's public key using ECIES (NIST P-256).
- In transit: TLS/HTTPS, with pinned roots in the desktop and CLI clients.
- Passwords: never transmitted; only a salted bcrypt hash of a password-derived credential is stored.
- Updates: software updates are digitally signed and verified before installation.
Important user responsibility. Your encryption keys are derived from your password. If you lose your password and have not enabled the optional recovery (escrow) feature, your encrypted data cannot be recovered — by design. See also the privacy policy.
4. Security support period
NDEVR provides free security updates and vulnerability handling during the product's security support period: at least 5 years from the date OWL is placed on the EU market. The exact end date will be published here once set (In progress). After that date, security updates are no longer guaranteed.
5. Secure use — instructions
- Secure by default: OWL enforces transport security (TLS) and does not permit anonymous access. (Self-hosting operators: keep your TLS certificates valid and current.)
- Strong credentials: use a strong, unique password and treat it as the key to your data (see security properties above).
- Install updates promptly: OWL verifies update authenticity with a digital signature; apply security updates as they are released. (In-product security-update notifications: In progress.)
- Recovery, with eyes open: the optional recovery (escrow) feature trades part of the zero-knowledge guarantee for the ability to recover your account if you forget your password. Enable it only if you accept that trade-off.
- Reset to a secure initial state: guidance for resetting an account or installation to its original secure state is In progress.
- Decommissioning / secure deletion: delete individual items or close your account to remove your data; secure account deletion with crypto-erase is In progress. Until then, request deletion via security@ndevr.org.
- Data export / portability: you can download your files and data through the OWL clients at any time; expanded export tooling is In progress.
6. Reasonably foreseeable risks
- Self-hosting the OWL server makes you responsible for maintaining TLS and applying updates promptly.
- The optional recovery (escrow) feature reduces the zero-knowledge guarantee in exchange for password recovery — enable it only if that trade-off is acceptable to you.
- OWL Connect and the QUAIL AI assistant grant consented, scoped server-side access to specific data when you use them; enable them only for integrations you trust. See the privacy policy for what is processed.
7. Software Bill of Materials (SBOM)
OWL's third-party components are documented in a CycloneDX SBOM, available on request via security@ndevr.org.
8. Technical documentation
OWL's full technical documentation is available to EU market-surveillance authorities, on request, via the manufacturer or the authorized representative.