Written by
Lorina Balan
, Digital Marketer
On March 26th, our CEO Ludovic Dubost hosted an engaging webinar showcasing CryptPad Enterprise's powerful capabilities. Attendees got a firsthand look at how organizations can achieve truly private collaboration without compromising on features or usability.
The live demonstration highlighted CryptPad's end-to-end encryption, collaborative editing tools, and enterprise-specific features that protect sensitive information while enabling seamless teamwork. Ludovic also shared insights into our security architecture and attendees had the opportunity to ask questions, covering topics such as future developments, security concerns, and enterprise integrations.
For those who missed it, the recording is now available, complete with detailed answers to the excellent questions raised during the Q&A session.
Key takeaways
During the session, we addressed key questions from participants, covering topics such as mobile improvements, enterprise integrations, data backup options, and security enhancements. The interactive Q&A provided valuable insights into CryptPad’s current capabilities and upcoming developments.
Key topics covered:
- End-to-end encryption & data privacy – Understanding how CryptPad secures your documents and communications
- Enterprise-ready features – How CryptPad can be used within organizations with LDAP, SAML, and OAuth support
- Collaboration tools – Exploring real-time document editing, team spaces, and sharing mechanisms
- Backup & recovery strategies – Ensuring data security in case of loss
- Roadmap & future improvements – Upcoming features, including mobile optimizations and expanded integrations
For those looking to explore CryptPad further, we recommend the following resources:
- Experience CryptPad’s privacy-first collaboration tools at cryptpad.fr.
- Learn more about enterprise plans and features on the pricing page.
- Discover how CryptPad fits into business workflows with CryptPad Blueprints.
- Set up a self-hosted CryptPad instance with the installation guide.
Q&A session
1. Are there any plans to make CryptPad more smartphone-friendly? If so, when?
Yes, improving mobile usability is a priority. The development team is actively working on enhancing CryptPad’s interface for mobile, but there is no fixed timeline for release. You can track progress on GitHub.
For users that are really wanting better things on mobile, it is very helpful to provide a precise ticket about the problem that you have. We're also trying to get some specific funding that would get us better on mobile. We hope that by the end of the year we can announce some good news in this area.
2. To move for example Google for Business accounts we need more: Calendar, Tasks, Group tasks, email (email server may be external like migadu.com but must be functionally integrated). Any plans for a complete suite?
So we do understand that people want a complete solution. Now the first thing is that there are already alternatives for emails, for example, so we're not sure if we want to go in the email business because it's a lot of work. So there are other email solutions such as Tuta or ProtonMail. CryptPad already includes a Calendar app, but it currently does not support synchronization with external calendar services. Expanding its functionality for better integration is something the team is considering. For tasks we have Kanbans from our point of view. Going much further in the project management area is a bit difficult for us because it's also a lot of work versus our funding.
3. We are moving to migadu.com for emails and calendar from Google. With CryptPad we would have an office alternative and size limited drive. How about group chat and video conferences?
So group chat and video conferences, we also believe that this is not our area. There are already solutions that do into an encryption now with group chat, with group chat and video conferences and for example, one that we would recommend is Matrix's Element. Matrix has end-to-end encrypted messaging, and there is now element call, which supports end encryption in video calls. We don't think that it should be the role of CryptPad to do that. We're much more interested in looking at how we can integrate between the solution. This is why we also build the CryptPad API.
4. How do I do a complete backup of all data in CryptPad as a user? Maybe deltas?
Users can download their CryptDrive via the "Download my CryptDrive" feature. If your drive is very big, it can be a bit cumbersome and not easy to backup your drive. So we're aware that this is not ideal, but due to the end-to-end encryption system, it's not so simple to do a delta based backup. We have one year of backups. They're all stored every day, so we have deltas by day and a full backup every month. So CryptPad has very strong backups for our users to protect the data, but we definitely understand that it makes a lot of sense for users to do their own backups. This is something that we'll look into in the future.
5. Would data be turned over in the event of a warrant? If the company were to sell, how secure would our data be?
So that's 2 different questions actually. So let's start with the simpler one. By law if the police is asking, especially the French police because we're hosted in France, is requesting our data, we would have to give the data. However, this data would be end-to-end encrypted, so we would not be able to give actually data to users that would be readable.
If they ask for IP addresses, some IP addresses could be turned over and connected to the data that is in the system, but the data is all into and encrypted. About the other question, if the company were to sell, how secure would our data be? So first, XWiki SAS is a very safe company that respects people. We would never sell the company without being able to give the data to people. We have measures also inside the company to secure the data. The backups are outside of our hoster, so if a hoster locks us out from our data, or let's say if there was a warrant seizing all our servers, then we would still have the backup data, and we would be able to restore the service or give it to somebody else to restore the service.
6. How to revoke access? So far, I have the impression, that knowing a document's URL is what gives you access to it. How to keep things secure when someone leaves a team? Especially when this happens on bad terms.
That's a complex problem. Teams kind of solve this, so if you have a team, you can actually revoke access to the drive of the team. It's more complex if people have the documents in their own drive. So if they copied the URLs in their own drive, it's a bit more complex to massively make sure that they cannot access the data. There is a feature that increases security in CryptPad which is called access, and you can actually ask the server to verify if people should access the document or not. This is based on the server accepting or not to serve the data to the user, but at this point you have to do this document by document, so this is not extremely practical.
You're right that at the moment the keys are in the URL and once someone has this we cannot take it back. So you cannot revoke the link. We have prototyped a revokable link feature which we hope to implement in future. This is at the early prototype stage though, it's not on our current roadmap, but it's on our medium to long-term things that we want to include in the products.
7. With the European Union and French legal frameworks that are becoming more and more privacy threatening (with phone communications and chats being routinely spied on, a CBDC and centralized digital wallet being promised for the end of this year, etc.), are you, as CryptPad, considering moving your servers to less totalitarian environments, like Switzerland or Iceland?
It's complex for us to have hosting in many countries, so we wouldn't necessarily move our server. We could have the possibility to have multiple servers and then people can choose. We also encourage people that are not necessarily happy with CryptPad hosting that there are other instances, in different countries that they can use. We have asked in our survey if people would be interested in instances in different countries, so I know that for this question, it shows that Switzerland or Iceland could be an interesting area for storing data. But it's also more complex for us, so this is something we'll think about for the future.
8. Can CryptPad’s encryption algorithm be implemented in other software?
We use a lot of encryption algorithms that are standard. However, the CryptPad end-to end encryption, requires both client code and server code. So basically the server code is receiving data and transmitting to other users. We're thinking for the future to build an API where you could use any quiet server, and have an API that you could embed in another software to transmit data between software. In the coming months you will see an API coming up which will allow to write some common line code. That can interact with the CryptPad server. But you still need the CryptPad server because the end-to-end encryption requires a system to transmit the data.
9. What happens if a user forgets their password or encryption key? Is there any recovery mechanism, or is the data permanently lost?
The answer is the data is permanently lost. We wouldn't be doing our job properly with an encryption if we were able to recover the data. The only thing that people can do is see if they have a cache, and they can open the document on their computer based on the URLs they have on their computer. But if they cannot open the drive, they won't be able to find all the keys of every document, but they might be able to open one document. What we recommend is to really make sure to make a backup of the key in a secure space area.
So for example, use password storage application, or think about recovery schemes. This can mean that, for example, you share your key with 2 people. And that you can ask these 2 people to give you their part of the key, and then you would recover your key.
We have looked at mechanisms such as secret sharing to allow account recovery but this is at the prototype stage.
10. What's the technical knowledge/expertise required and the associated workload to maintain our own on-premises instance?
Running an on-premises instance requires moderate sysadmin knowledge, including server maintenance, backups, and updates. The installation guide provides step-by-step instructions. But once you have data on your server, you can check if you configured the instance properly by using the checkup script that can be found in the installation guide.
11. Could document links be leaked via the HTTP "Referrer" header?
No. Referrer headers do not include the part of the URL after the "#" character which is where CryptPad document keys are, so no document links cannot be linked in this way.
12. Could CryptPad be used as an "instant messenger" inside an organization or company (through a chat functionality)?
It is possible but we haven't built the chat for this. We have built the chat to chat on documents. We have put the chat in the Teams because it was part of what we plan to do. We don't consider that our chat feature is a sufficiently advanced solution compared to tools like Matrix or Signal.
13. Would adding an additional password improve document security?
CryptPad uses passwords to protect against sharing links in insecure channels.
14. Is it possible to directly share links with users on other instances?
Currently, CryptPad does not support cross-instance direct sharing. Users must manually share document links via secure channels.
15. What is the best way to back up a complete drive?
There are 2 separate exports available for the drive:
- Backup, which only saves the keys to documents to be restored on the same instance (e.g. migrating an account)
- Download, which saves all documents. We do our best to save all documents in formats that are readable outside of CryptPad, but this is not always possible at the moment.
16. How does CryptPad protect against brute-force attacks or unauthorized access attempts?
First we recommend MFA. If you have MFA, it's going to be very difficult for anybody to gain access to your system. CryptPad uses strong encryption, rate limiting, and other security measures to prevent brute-force attacks. User data is protected at rest and in transit. However, we still recommend that people use strong passwords.
17. Are there integrations with identity providers like LDAP, SAML, or OAuth?
We have SSO plugin with support for Open ID Connect and SAML. We don't implement LDAP which is not really a single sign-on system, it's a login system. So note that our implementation of SSO doesn't spare you from filling in your personal password.
18. How does CryptPad handle data deletion? If an employee leaves an organization, can their encrypted data be recovered or permanently erased?
When you delete a CryptPad account, all data owned by that account can be deleted. This creates a risk: If an employee is the sole owner of important documents and their account is deleted, those documents could be permanently lost, even if they're also in a Team Drive. To prevent this, we recommend using Team Drives where the team itself is made an owner of all documents. This way, when employees leave, their account deletion won't remove essential documents that others need access to.
Support CryptPad's mission
CryptPad is committed to providing secure, private collaboration tools that respect user privacy. As an open-source project, we rely on community support to continue developing and improving our platform. Individual users can contribute by making donations via Open Collective or subscribing to CryptPad.fr. Organizations can support development through subscriptions or feature sponsorships.
We maintain full transparency about how funds are used, publishing annual updates on our funding status on the CryptPad blog. Your support helps ensure that privacy-focused collaboration remains accessible to everyone.
