> For the complete documentation index, see [llms.txt](https://oten.gitbook.io/drive-support/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oten.gitbook.io/drive-support/faq/security-and-privacy.md).

# Security & Privacy

**Q. Can Oten read my files?** A. No. Encryption and decryption happen only on your device. Oten Cloud stores opaque ciphertext and holds no keys — it cannot read your files, even under legal compulsion.

**Q. Where are my files stored?** A. Encrypted on your device and synced to **Oten Cloud** as ciphertext. The server stores only encrypted blobs plus minimal bookkeeping (IDs, version counters, timestamps).

**Q. Are file&#x20;*****names*****&#x20;and folder structure encrypted too?** A. Yes. File contents, file names, folder structure, and vault names are all encrypted on-device.

**Q. What encryption does it use?** A. Strong, modern, authenticated encryption with **post-quantum-ready** (KEM-based) key handling. It's on by default — there's nothing to configure. A public cryptography white paper describes the design.

**Q. Could plaintext leak into logs or crash reports?** A. No. Zero plaintext leaving the device — including in logs, crash reports, caches, and sync traffic — is a hard product rule.

**Q. If I permanently delete data, is it really gone?** A. Yes. "Delete everything" securely wipes the associated keys, making that content's ciphertext unrecoverable by anyone.

**Q. Can the server tell how many Shadow Layers a vault has?** A. No. Layers are cryptographically independent, and the server stores only opaque blobs — it cannot tell whether a vault has one layer or several.
