Letro is built as a Proof-of-Service / Digital Registered Delivery platform.
Our security design prioritizes:
(1) protecting message content with end-to-end encryption,
(2) minimizing and protecting metadata required for delivery and evidence,
(3) producing auditable, exportable records suitable for regulated workflows.
Core security principles
- End-to-end encryption by design. Message content and attachments are encrypted on the sender device and decrypted only on recipient devices (Signal Protocol).
- Zero-knowledge orientation. Letro is designed so that internal staff and backend systems do not have access to message plaintext or user private keys.
- Trustless evidence. Where possible, evidence artifacts (e.g., delivery events) are cryptographically verifiable (e.g., signed records) to reduce reliance on trust in a single operator.
- Zero-knowledge proofs (where applicable). For workflows that require third-party verifiability without revealing content, Letro can support cryptographic proofs that attest to properties or events while keeping sensitive data hidden.
- Least privilege and auditable operations. Administrative access is limited, time-bound, and logged; security review expects a clear answer to 'who can access what' and why.
- Regional data residency options. Customer data can be hosted in Switzerland or GCC regions depending on customer needs.
Important definition. In this document, 'content' means message bodies and attachments. 'Metadata' means delivery routing information and system events required to operate the service and produce proof-of-service records.
