Multilogin.io
Security & Privacy

Data Encryption

How we protect your data with AES-256 encryption, zero-knowledge architecture, and end-to-end security. Profile data, passwords, and API keys are encrypted at rest and in transit.

Dr. Emily Zhang
6 min read

Your profile data contains login sessions, cookies, and account credentials. We encrypt everything with military-grade AES-256. Even if attackers breach our servers, they can't read your data.

Encryption Standards

We use AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode).

What that means:

  • 256-bit keys: 2^256 possible keys. Brute force would take billions of years with all computers on Earth.
  • GCM mode: Provides both encryption and authentication. Prevents tampering.
  • NIST-approved: Used by US government for TOP SECRET data.
  • Industry standard: Banks, healthcare, military all use AES-256.

What Gets Encrypted?

Profile Data (at rest):

  • Cookies and session tokens
  • Local storage and IndexedDB
  • Browsing history and bookmarks
  • Form autofill data
  • Extension data and settings
  • Cache files

Credentials (at rest):

  • Your account password (hashed with bcrypt + salt)
  • API keys
  • Proxy passwords
  • Webhook secrets

Data in Transit (TLS 1.3):

  • All API requests
  • Dashboard access
  • Profile synchronization
  • Desktop app communication

Zero-Knowledge Architecture

We use zero-knowledge encryption for sensitive profile data.

How it works:

  1. Your password generates an encryption key (never leaves your device)
  2. Profile data encrypts locally with your key
  3. Encrypted data uploads to our servers
  4. We store encrypted blobs. We can't decrypt them.
  5. When you log in, your key decrypts your data

What this means:

  • Multilogin employees can't access your profile data
  • Law enforcement subpoenas get encrypted data (useless without your key)
  • Server breach doesn't expose your data
  • If you forget your password, your data is unrecoverable

⚠️ Password Recovery

We can't reset your password for you. If you forget it, your encrypted data is permanently lost. Use a password manager. Enable two-factor authentication as backup.

Encryption Key Management

Master Key: Derived from your password using PBKDF2 with 100,000 iterations and random salt.

Data Encryption Keys (DEKs): Unique 256-bit key for each profile. Encrypted with your master key.

Key Rotation: DEKs rotate automatically every 90 days. Old keys kept for 30 days to decrypt legacy data, then destroyed.

Hardware Security Modules (HSMs): Master keys stored in FIPS 140-2 Level 3 certified HSMs. Physical and logical security.

Data at Rest

All profile data encrypts before writing to disk.

Desktop App Storage:

Profiles stored locally on your machine. Encrypted with device-specific keys. Unauthorized users can't access your profiles even with physical access to your computer.

Cloud Storage:

Team plans sync profiles to cloud. Data encrypts client-side before upload. Server stores encrypted blobs in AWS S3 with server-side encryption (AES-256) as additional layer.

Database Encryption:

MySQL databases use Transparent Data Encryption (TDE). Sensitive fields (API keys, proxy passwords) get application-level encryption on top of TDE.

Data in Transit

All network communication uses TLS 1.3 with perfect forward secrecy.

Cipher Suites (in order of preference):

  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_GCM_SHA256

Certificate Pinning: Desktop app pins our SSL certificate. Prevents man-in-the-middle attacks even if CAs are compromised.

HSTS: HTTP Strict Transport Security forces HTTPS. No downgrade attacks possible.

Backup Encryption

Profile backups (exported via dashboard or API) are encrypted archives.

Export Format: AES-256 encrypted ZIP with password protection.

Backup Storage: If you store backups in Dropbox/Google Drive, use their encryption features. Or encrypt with 7-Zip/VeraCrypt before uploading.

Encryption Performance

OperationProfile SizeEncryption TimeOverhead
Profile Save100MB1.2 seconds~5%
Profile Load100MB0.8 seconds~3%
Cloud Sync500MB8 seconds~10%
API Request1KB<1msNegligible

Encryption adds minimal overhead. Hardware AES acceleration (AES-NI on modern CPUs) makes it nearly free.

Compliance Certifications

  • SOC 2 Type II: Annual audit of security controls
  • GDPR Compliant: Data encryption required by Article 32
  • CCPA Compliant: California privacy law requirements
  • ISO 27001: Information security management (in progress)

What We Don't Encrypt

Some data can't be encrypted without breaking functionality:

  • Usernames/Emails: Needed for login and search. Hashed for privacy.
  • Profile Names: Must be searchable. Don't put sensitive info in names.
  • Audit Log Metadata: Timestamps, actions, actors. Needed for security monitoring.
  • Billing Info: Payment processor (Stripe) handles this. PCI DSS compliant.

Verifying Encryption

Check TLS Connection:

Visit multilogin.io → Click padlock in address bar → View certificate → Should show TLS 1.3 with AES-256-GCM cipher.

Check Profile Encryption:

Profile storage location → Open profile directory → Files are binary encrypted blobs, not readable text.

Enable Two-Factor Authentication

Encryption protects data at rest. Two-factor authentication protects account access. Add a second layer of security to prevent unauthorized logins.

Dr. Emily Zhang

Chief Security Officer

Dr. Emily Zhang leads security at Multilogin.io. She holds a PhD in Cryptography from Stanford and previously secured systems at Signal and ProtonMail.

Related Guides

Two-Factor Authentication

Add 2FA to protect account access

API Key Security

Secure your API keys and webhooks