voidly
13/13
13/13 nodes operational
... active users
99.8% uptime (30d)
94.7% success rate
47ms avg latency
cloak v2.9.0 active
https mimicry enabled
zero logs // ram-only
13/13 nodes operational
... active users
99.8% uptime (30d)
94.7% success rate
47ms avg latency
cloak v2.9.0 active
https mimicry enabled
zero logs // ram-only

> transparency // warrant_canary

updated monthly • pgp signed • zero warrants received

🕊️

warrant canary

ALIVE
last updated: 2026-01-11 • next update: 2026-02-15
34 days until expiry

as of 2026-01-11, voidly has:

  • [+] received 0 national security letters
  • [+] received 0 fisa court orders
  • [+] received 0 gag orders
  • [+] received 0 government data requests
  • [+] received 0 warrants from any jurisdiction

if this page is not updated by 2026-02-15, assume the canary is dead.

[why this matters]
us law allows secret warrants with gag orders // companies can't tell users they're being monitored // we update this monthly // if we're served a gag order, we'll stop updating // absence = warning
[pgp signature - verify authenticity]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Warrant Canary Statement
Date: 2026-01-11
Status: No warrants, NSLs, or gag orders received
Next Update: 2026-02-15

Voidly Team
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE... [signature truncated for display]
Coming soon: Full PGP signing implementation
-----END PGP SIGNATURE-----
verify with: gpg --verify canary.asc

zero-knowledge encryption

[encryption model]
  • [+] rsa-4096 keypair generated in your browser
  • [+] private key encrypted with your master password (aes-gcm)
  • [+] we store encrypted blob (can't decrypt even with warrant)
  • [+] emails encrypted client-side before upload
  • [+] only recipient's private key can decrypt
[what we CAN'T access]
  • [-] your master password (never sent to server)
  • [-] your private key (encrypted, we don't have password)
  • [-] your email content (encrypted before upload)
  • [-] your email attachments (encrypted before upload)
[what we CAN see]
  • [+] email metadata (sender, recipient, timestamp)
  • [+] encrypted email blobs (useless without private key)
  • [+] account creation date
  • [+] storage usage
[threat model]
even if served a warrant, we can only provide encrypted blobs and metadata // content remains secure unless adversary also compromises your device and steals your master password

infrastructure

[current hosting]
  • [+] mail servers: hetzner germany (gdpr protected)
  • [+] vpn nodes: 13 countries (distributed network)
  • [+] api: cloudflare workers (edge network)
  • [+] database: cloudflare d1 (encrypted at rest)
[swiss migration plan]
  • [~] q1 2026: migrate mail.voidly.ai to swiss hosting
  • [~] stronger legal protection (swiss federal data protection act)
  • [~] no five eyes jurisdiction
  • [~] requires court order (not just warrant)
[data retention]
  • [+] email: stored until you delete (encrypted)
  • [+] vpn logs: none (no connection logs, no traffic logs)
  • [+] payment data: handled by stripe (we don't store cards)
  • [+] anonymous usage stats: aggregated (no pii)

open source

[current status]
core vpn network: open source (github.com/voidlynx/voidly) // intelligence monitoring: open source // email encryption: open source (web crypto api) // server deployment: documented below
[self-hosting guide]
  • [1] deployment docs: github.com/voidlynx/voidly/docs/deploy
  • [2] docker compose provided (spin up in 5 min)
  • [3] mail server setup (postfix + dovecot)
  • [4] vpn node setup (wireguard + routing)
  • [5] encryption backend (zero-knowledge)
    • [audit]
    code is public // community can verify encryption claims // professional security audit: q2 2026 (funded by pro subscriptions)

    transparency reports

    [january 2026]
    • [+] total users: ...
    • [+] vpn connections: 18,629
    • [+] censorship events detected: 2,104
    • [+] email accounts: 387
    • [+] government requests: 0
    • [+] dmca takedowns: 0
    • [+] user data disclosed: 0
    [commitment]
    we publish monthly stats // if forced to disclose user data, we'll fight in court // if we lose, we'll disclose only what's legally required (metadata only, content is encrypted)