Security & ArchitectureSecurity reviewers, architects
Zero-knowledge architecture
1 min readUpdated May 6, 2026
Poll and response path
| Guarantee | What it means in practice |
|---|---|
| Browser-generated poll keys | Keys are created client-side when you publish; the private key never leaves the admin environment except inside encrypted wrap structures you control. |
| Server stores public keys and ciphertext only | The service persists public keys and encrypted key-wrap material—not plaintext poll private keys. |
| Respondent encrypts in the browser | Submissions are encrypted client-side before transport. |
| Server stores ciphertext for responses | InviziPoll cannot decrypt responses without workspace poll private keys. |
| Admin decrypts in the browser | Authorized admins decrypt inside the workspace app after encrypted results are loaded. |
| Password- or passkey-protected key material | Recovery and cross-device flows wrap keys so the server sees wraps, not raw private keys. |
Shared folders (collaboration)
| Guarantee | What it means in practice |
|---|---|
| Poll keys wrapped to a folder key | Shared folders avoid ad-hoc per-admin poll key sharing. |
| Folder keys wrapped per collaborator | The server stores opaque encrypted wraps for each collaborator. |
| Client-side unwrap | Each collaborator unwraps folder material, then poll keys, then decrypts payloads for analytics—all in the browser. |