Security & ArchitectureSecurity reviewers, architects
Zero-knowledge architecture
1 min readUpdated May 15, 2026
Heads up — Terminology: in product copy, zero-knowledge means the service is designed not to hold the secrets needed to read poll answers. It is not a claim about formal ZK proof systems in academic cryptography.
This article maps InviziPoll’s confidentiality goal—the service never holds the secrets needed to decrypt responses—to observable product behavior, for security and architecture reviewers.
Poll and response path
| Guarantee | What it means in practice |
|---|---|
| Browser-generated poll keys | Keys are created client-side when you publish; the private key never leaves the admin environment except inside encrypted wrap structures you control. |
| Server stores public keys and ciphertext only | The service persists public keys and encrypted key-wrap material—not plaintext poll private keys. |
| Respondent encrypts in the browser | Submissions are encrypted client-side before transport. |
| Server stores ciphertext for responses | InviziPoll cannot decrypt responses without workspace poll private keys. |
| Admin decrypts in the browser | Authorized admins decrypt inside the workspace app after encrypted results are loaded. |
| Password- or passkey-protected key material | Recovery and cross-device flows wrap keys so the server sees wraps, not raw private keys. |
Shared folders (collaboration)
| Guarantee | What it means in practice |
|---|---|
| Poll keys wrapped to a folder key | Shared folders avoid ad-hoc per-admin poll key sharing. |
| Folder keys wrapped per collaborator | The server stores opaque encrypted wraps for each collaborator. |
| Client-side unwrap | Each collaborator unwraps folder material, then poll keys, then decrypts payloads for analytics—all in the browser. |