Your project data stays yours
Refractum encrypts your work in the browser before it syncs. We never see unencrypted project files.
End-to-end encrypted
Data is encrypted in your browser before sync. Refractum never sees unencrypted project files.
What's encrypted
Schedule of Values
Project names, fee estimates, line items, and billing periods.
Time sheets
Titles, employee details, hour entries, and signatures.
Export contacts
Organization address, phone, and website used in exports.
How it works
Encrypt in your browser
AES-256-GCM encryption runs locally before anything leaves your device.
Sync ciphertext only
Our servers store encrypted data and wrapped keys — never plaintext project files.
Decrypt in your org
Only organization members with an unlocked vault can read project content.
What we can and can't see
End-to-end encrypted
- SOV project names, fee estimates, line items, and billing periods
- Time sheet titles, employee details, hour entries, and signatures
- Organization contact details used in exports (address, phone, website)
What's not encrypted
- Email address and display name
- Organization name, membership, and roles
- Multi-factor authentication status
- Record IDs, timestamps, and billing period dates
Refractum does not have your password or recovery key and cannot decrypt your project files. If you lose both, encrypted data cannot be recovered.
Built-in protections
Two-factor authentication required
Every account must set up an authenticator app before using Refractum.
Your keys, your responsibility
Encryption keys are derived from your password. Store your recovery key somewhere safe — it is the only way back in if you forget your password.
Data hosted in the United Kingdom
Encrypted project data and account metadata are stored in UK cloud infrastructure. While your vault is unlocked, data may also be held briefly in your browser.
Full legal details in our Privacy Policy .