Skip to content

Your data on Aleph

This page states plainly what Stasho stores about you, what's encrypted, what's public, and how to check our claims without trusting us.

Prerequisite: none, but Connect & sign in explains the keys involved.

The model in one paragraph

Everything lives as messages on the public Aleph network, written under your wallet address. Sensitive fields are encrypted in your browser before they're written; public fields are plaintext for anyone to read. There is no private database with your project data in it — the backend keeps only a cache of the public fields, and holds no standing key to the encrypted ones.

What's encrypted, what's public

Projects:

EncryptedPublic
Project nameFramework
Repo URL and branchDeploy target
Build command, output directoryCreated / updated timestamps
Environment variablesDeleted flag
GitHub installation ID

Deployments:

EncryptedPublic
Commit hash and messageStatus (queued, live, failed…)
BranchArtifact CID
GitHub Actions run URLGateway URL
Build error outputTimestamps

Note what this means: an observer of the Aleph network can see that your wallet deploys something and when, but not what it's called, which repo it comes from, or what broke when a build failed. Source details are always encrypted — even for public repos — so your wallet address can't be bulk-linked to your GitHub identity by indexing Aleph.

Who can decrypt

Each encrypted field is sealed to two recipients, both yours:

  1. Your wallet key — the recovery path. With your private key you can decrypt everything, forever, with no help from us (see Recover your data).
  2. Your browser's derived encryption key — the everyday path, derived from the one-time Unlock signature.

The backend is not a recipient. It cannot read your project names, repos, commit messages, or error logs — in the dashboard those fields are decrypted by your browser, not sent down from our servers.

What happens when you delete a project

  1. The project is marked deleted on Aleph (the record is tombstoned, history stays auditable)
  2. The backend issues FORGET messages for the project's pinned artifacts — Aleph nodes drop the content within a day or two

One honest caveat: IPFS is a public network. While your site was live, third-party gateways and nodes outside Aleph's control may have copied the bytes, and a FORGET doesn't reach them. Treat anything you deploy as public the moment it goes live — deletion removes it from Aleph, not from the internet's memory. Your encrypted metadata doesn't have this problem; without your keys it's noise.

Check our claims

You don't have to take any of this on trust:

  • Settings → Data & Privacy in the app shows the full encrypted-vs-public field list, your on-chain message footprint, and any inconsistencies between our cache and the chain.
  • Verify on Aleph Cloud, on any deployment's detail page, walks the actual signed messages behind it — who signed each one (you, your browser's session key, or our delegate), with explorer links.
  • The public audit endpointhttps://api.stasho.xyz/api/audit/<your-address> — returns, unauthenticated, every key authorized to write under your wallet and whether our cache matches the chain. Anyone can build a watchdog on it.
  • The recovery script reconstructs everything from Aleph directly — the ground truth if you ever doubt the dashboard.