// How it works
What runs where, what our servers can and can't see, and how to check for yourself.

Niska is privacy-first, but it's still software running on real servers, so let's be exact about what that means. Below is the honest breakdown of where each tool runs and what our servers can and can't see, including the parts where your data does leave your machine, and what we do to keep that to a minimum.

Per tool: where it runs, what we see
Tool Where it runs What our server sees Retention
File-share.sh Our servers The file, or only ciphertext if you encrypt it (encrypted and decrypted in your browser, so we only ever hold bytes we can't read), plus your IP Until expiry, one-time view, or you delete it
Pastebin.txt Our servers The paste, or only ciphertext if you encrypt it (encrypted and decrypted in your browser, so we only ever hold text we can't read), plus your IP Until expiry or one-time view, or you delete it
GeoIP.db Our servers (local database) The IP/hostname you look up, and your own IP Not stored per user; your search history stays in your browser
Password.key Your browser Nothing, the analyzer and generator never send your input anywhere Nothing leaves your device
Encode.enc Your browser Nothing, encoding, ciphers, hashing and encryption all run on your device Nothing leaves your device

Password.key and Encode.enc are live and fully client-side, carrying the runs in your browser · nothing leaves badge.

Encryption: the key stays in your link, never in our storage

Files and pastes can be encrypted with AES-256-GCM. The key is derived from your passphrase and never stored on our servers. It lives in the share link, after the #:

files:   /aB3xK9p.pdf#your-key
pastes:  /p/3f9a2c4e#your-key   ← everything after the # stays in your browser

That fragment (#…) is the part your browser never puts in the request URL, so it stays out of our access logs. Encrypted files and pastes are both end-to-end: your browser encrypts them before they reach us and decrypts them again on open, so we only ever store ciphertext and never see the key at all. GCM authentication means a wrong key fails loudly instead of returning garbage. The trade-off is deliberate: lose the link and the content is gone for good, encrypted pastes can't be edited or syntax-highlighted (we can't read them to colour them), and encrypted files can't be previewed by a link unfurler.

What we never store
  • Your encryption keys. They live in your link, never in our database. We are never able to see it. It sites after the # fragment, which is never send to us.
  • For browser-only tools like Password.key, anything at all. Your input never leaves your device.
Logging: we log, here's exactly what

We don't claim "no logs", that's almost never true, and we'd rather be precise. We keep operational access logs to run and debug the service and to enforce rate limits. They are request metadata, not a profile of who you are. A real log line looks like this:

{"timestamp":"2026-06-13T19:28:34Z","method":"GET",
 "path":"/p/3f9a2c4e#NEVER-REACHES-OUR-LOGS","status":200,
 "client_ip":"203.0.113.7","request_id":"e930bb9b","latency_ms":3}
  • Anything secret is submitted in a POST body, on purpose, so it never lands in a URL, a log, or your browser history.
Third parties (named honestly)
  • GeoIP lookups resolve entirely from a local database on our server, so the IP you query never leaves us.
  • Map tiles are fully self-hosted: the basemap is a single vector tile archive (OpenStreetMap data) baked into Niska and rendered in your browser, so no tile or font server is ever contacted, not even by us. Your IP and the area you pan to never reach a third party.
  • Everything else is first-party. JavaScript libraries are vendored and served from Niska, not a CDN; our Content-Security-Policy allows scripts only from our own origin.
Cookies: three, all functional
Cookie Purpose Notes
nsk_access Your signed-in session (a short-lived token) HttpOnly, SameSite=Lax, 15 min
nsk_refresh Renews your session without re-login HttpOnly, only ever sent to /api/auth
nsk_csrf Protects forms against cross-site forgery Readable by JS (so requests can echo it back), 12 h

There are zero analytics or tracking cookies. Consent banners exist to ask permission for tracking, we don't track, so there's nothing to ask, and no banner. Cookies only appear once you log in or submit a form.

Don't trust us, check

The source is closed for now, so this page and what you can observe yourself are the trust story. Open your browser's developer tools → Network tab and watch:

  • On a browser-only tool like Password.key, confirm that no request carries your input, the Network tab stays empty.
  • On an encrypted share, or file, confirm the key after the # is never in the request URL, your data is encrypted entirely client-side in your browser.
  • Check the response headers, a Content-Security-Policy that allows scripts only from our own origin, nosniff, and no third-party script origins.
Honest limits
  • The code is closed source for now, so trust leans on this page, on what you can verify in devtools, and eventually on a third-party audit.