Solutions · Data Security

Encryption with keys that never leave the owner

Protect data in transit and at rest with keys created and controlled by the data owner — not a third-party vendor

Most solutions protect data only while it moves. Faction protects it in transit and at rest, with keys created and held by the owner — so data isn't left decrypted on cloud servers and endpoints waiting for the next breach.

Keys are generated on your own device and never transmitted to Faction. There is no master key. Faction's infrastructure routes your encrypted traffic but cannot read your content — it is technically incapable of doing so, even if compelled. That's Zero Knowledge as a property of the architecture, not a promise in a policy.

How owner-held keys protect your data
Keys created on your device — they never leave it
Your Keysgenerated & held by the owner · no master key
End-to-End Encryptionin transit and at rest
Email (S/MIME)
Direct file transfer
Cloud & local storage
Owner-keyed backup
Encrypted in transit · Encrypted at rest · Keys never leave your device · Zero Knowledge
Your data, encrypted under your keys
01

Encrypted email

Sign and encrypt mail in the client you already use — S/MIME, with your own certificate. No new tools.

02

Secure file transfer

Send files of any size directly between devices; they never touch Faction's infrastructure.

03

Encrypted at rest

Files stay encrypted on your endpoints and in storage, under keys only your devices hold.

04

Owner-held keys

Keys are generated on your device and never leave it — Zero Knowledge, so Faction can't read what you protect.

Faction app — peer-to-peer file transfer
End-to-end encrypted
Peer-to-peer
What you can do

Use your own email

Keep the email app you already use, but encrypt message contents with a personal X.509 certificate signed by your own key.

Bring your own cloud drive

Store and share on the cloud drive you prefer — encrypted with your own keys, with no cloud exposure of the contents.

Share files anywhere

Move files of any size across platforms through your own distributed network of drives and devices.

Owner-keyed at rest

Data stays encrypted on endpoints and in storage; the keys never leave the owner's devices.

Four independent layers of encryption
  • API communication — RSA-4096 with AES-256-GCM and Ed25519 secures traffic between your device and Faction's infrastructure.
  • Network transport — WireGuard (ChaCha20-Poly1305) encrypts everything moving across your private circuit.
  • Peer-to-peer — mutual TLS 1.3 with X.509 certificates protects direct device-to-device sessions, including file transfers.
  • Data at rest — AES-256 keeps stored data encrypted on your endpoints and in backup, under keys only your device holds.
Go deeper
White Paper

The Next Generation of Zero Trust

Read & download
Cover coming soon
Brief

Data Security — coming soon

Coming soon
Cover coming soon
Guide

Data Security — coming soon

Coming soon
Related
Virtual Private CircuitsHealthcare

Own your trust. Keep your peace of mind.

The new threat environment calls for a new Zero Trust model. We'd welcome the chance to show you how Faction puts you in control and secures your critical systems and assets rapidly with low cost and IT overhead.

Get early access

Put owner-held encryption to work on your own data — in transit and at rest — and see what Zero Knowledge means in practice.

Get Early Access

MSPs & MSSPs

Offer clients data protection where only they hold the keys — and manage it across every account from one place.

MSP / MSSP Program