At Tresorit, we believe that delivering truly secure, end-to-end encrypted content solutions isn’t a one-and-done achievement — it’s a continuous commitment. That’s why we regularly commission independent audits and penetration tests and will do so every year from 2025 onward. And today, we are pleased to share the results of the most recent — conducted at the end of 2025 — vulnerability assessment and penetration testing of Tresorit’s security framework, conducted by an internationally renowned third-party auditor.

What was tested — and why it matters

For this latest evaluation, an independent firm carried out a comprehensive penetration test on the technical security evaluation of Tresorit’s end-to-end encryption, web, mobile and desktop applications — addressing selected components of the product suite such as Tresorit SecureCloud and Tresorit Engage.

The test was executed using a gray-box testing methodology, where test user accounts and controlled access were provided for the purpose of conducting real-world attacks on data security and functionality in a risk-free way.

The objective? To evaluate Tresorit’s security posture and identify any potential deficiencies or vulnerabilities with particular focus on, but not limited to, Tresorit’s claim of end-to-end encryption.

This includes:

• Identifying security gaps, vulnerabilities, architectural deficiencies that may undermine Tresorit’s security claims, and assessing the associated business risks.
  
  
• Evaluating the current state of the information security design related to Tresorit using Open Web Application Security Project (OWASP) guidance on attack, penetration testing and general leading practices.
  
  
• Providing clear, actionable recommendations to mitigate the identified risks.

After all, penetration testing isn’t about proving perfection — it’s about validating security claims through rigorous, objective assessment.

The outcome: Tresorit's data confidentiality claims confirmed

We are proud to report that the independent review found Tresorit’s claim regarding end-to-end encryption — specifically that Tresorit servers and employees cannot access data uploaded by users — to be well founded. As the report states: “Test results found no deviation from Tresorit’s data confidentiality claims.”

The assessment did not identify critical or high-severity findings related to Tresorit’s cryptographic or other components. However, a medium-severity, server-side race-condition vulnerability — not affecting end-to-end encrypted data security — was detected, together with a few other medium- and low-severity issues. These findings pertain to procedural or interaction-layer issues rather than underlying structural security flaws and can be remedied easily.

This outcome mirrors our previous internal and external audits — including earlier penetration tests and the independent study by ETH Zurich that evaluated our end-to-end encryption design among multiple providers.

What it means for you

• Trust that your data remains private. With Tresorit’s data confidentiality claims validated, you can be reassured that your data remains confidential. Tresorit enforces strict client-side encryption: files are encrypted before leaving your device and remain unreadable to anyone — including Tresorit’s own servers.
  
  
• Security that evolves with the threat landscape. From today’s threats to tomorrow’s post-quantum risks, we continuously advance our cryptography to stay ahead. Repeated independent testing ensures that we adapt and reinforce where necessary.
  
  
• Transparency and accountability. By publishing our test results and working openly with third-party auditors, we provide clear evidence that our security claims stand up to scrutiny — not just internally, but in real-world adversarial tests.

In summary

Security, for us, isn’t just a feature — it’s our foundation. The latest independent penetration test conducted in 2025 once again validates that Tresorit remains a reliable, secure home for your most sensitive data. We’re grateful to the auditors for their thorough work and to our community for trusting us with their confidential data.

As we continue building and improving our platform, we remain fully committed to transparency, rigorous testing, and the highest standards of encryption and data protection.

Please contact our Support Team for more details.