Sotvo is an invite-based, end-to-end encrypted messaging app for two people who already know each other. Its security model rests on five mechanisms: a room code that becomes the encryption key, post-quantum key establishment, a Double Ratchet that issues a new key for every message, relay-only calls, and zero data on disk.
All five serve one design rule: the server is an outsider. Our server relays sealed envelopes. It holds no key, no identity, and no history. This page walks through the five mechanisms in the order a room actually uses them, then names the limits we can’t engineer away, and ends with the few records we do keep.
The room code becomes the key
A room starts with a short code that one person shares with the other. Both phones feed that code into CPace, a password-authenticated key exchange, and the code itself never crosses the network. CPace lets two devices that both know the code agree on a strong shared secret; a server relaying the exchange, or anyone else on the wire, learns nothing useful from watching it.
A wrong guess fails the whole exchange instead of leaking a partial answer. Guessing at scale runs into rate limits, described at the end of this page. There is no account behind the code and no phone number ahead of it; the code is the whole introduction. The arrangement is quiet but strict: the code you whisper to your friend is the thing that locks the room, and we never hear it.
Post-quantum key establishment with X-Wing
Session keys come from X-Wing, a hybrid of X25519 and ML-KEM-768. The elliptic-curve half is what most encrypted messengers rely on today. The lattice half exists for recordings: encrypted traffic captured now and stored until quantum computers mature would still have to break both halves, and the lattice half is built to hold. A hybrid fails only when both of its parts do. We use the narrow term deliberately. What Sotvo has is post-quantum key establishment, a statement about how keys are made, and nothing broader. The mechanism is unpacked in post-quantum key establishment, explained.
A new key for every message
Message encryption inside the room runs on vodozemac, a Rust implementation of the Double Ratchet that Least Authority audited in 2022. The ratchet derives a fresh key for every message and discards the previous one, so a key captured tomorrow opens nothing from today. That property is called perfect forward secrecy, and it is why one lucky break does not unravel a whole conversation.
The word audited on this page belongs to vodozemac alone. Sotvo itself has not been independently audited yet, and we will not borrow the label until it has been.
Calls stay behind a relay
Voice and video run over WebRTC, and every call is relay-only: the two phones never connect directly. Neither person’s IP address is exposed to the other, and the relay writes nothing down; IP addresses are never logged, never stored. The relay moves encrypted media it cannot decrypt; its whole job is to stand between two addresses. The honest cost is a hop. Routing media through a relay can add a little latency compared with a direct connection, and we accept that trade for a call that carries no addresses.
Zero data on disk
The state a room needs while it is open lives in memory only. Server-side persistence is switched off: there is no message database and no backup job quietly writing copies. Rooms end on schedule or when burned, and whatever was in memory is released. There is no history to export, because none is kept.
On a pre-release build in July 2026, we ran the blunt version of this test: force-quit the app mid-conversation, restart the server, reopen everything. Nothing came back. There was nothing to come back.
What we can’t protect you from
Encryption has edges. Naming them is part of the job. Whether end-to-end encryption itself deserves your confidence is a fair question with a documented answer; we wrote ours in is end-to-end encryption safe. Past the math, three limits remain.
The first limit is the person you invited. Sotvo encrypts the path between two people, never the people themselves. Screenshots can’t be prevented — so they’re never silent. Sotvo detects a screenshot and tells the other person, every time. A second phone pointed at the screen, though, is beyond anyone’s detection, ours included.
The second limit is your device. A phone unlocked in someone else’s hands reads exactly what you read. App Lock keeps casual snooping out; it does not defeat a device that is itself compromised.
The third limit is the shape of traffic. Encrypted bytes are still bytes, and an observer can tell that data moved, when, and roughly how much. We can’t read anything. But we won’t claim to know nothing about you.
we see that a room exists, never what’s inside.
The little we keep
Running the service honestly requires three narrow records, and this is the full list. None of them contains a message, a name, or a raw IP address.
| What we keep | Why it exists | What it can never reveal |
|---|---|---|
| Rate-limit counters keyed to a hashed IP | Stops code-guessing and abuse | The raw address, which is never written; the hash secret rotates daily, so counters can’t be linked across days |
| An opaque push mapping | Delivers a notification when a room has activity | The sender, the content, or the room code; a notification says only “activity in a room” |
| Apple purchase verification | Confirms an unlock without creating an account | Who you are; no payment details ever reach us |
The counters expire on their own. The push mapping lives only as long as its room and is deleted when the room ends. Money changes hands without identity, too: Joining rooms is always free. The unlock will be a one-time $6.99 purchase, and Apple handles the payment — we never learn who you are.
Three questions, answered plainly
Can Sotvo read my messages?
No. Keys are created on the two devices in a room and never leave them. Our server passes along sealed envelopes and forgets them, so if someone demands your conversations, there is nothing to hand over.
Is Sotvo open source?
The cryptography is; the app is not. Sotvo is built on open source cryptography: vodozemac, CPace, and the WebRTC stack are open implementations, each listed with its license on our source page. Protocol documentation will be published with the release build.
Does Sotvo log IP addresses?
No. IP addresses are never logged, never stored. Rate limiting uses a counter keyed to a hash of the address, computed with a secret that rotates every day, and the raw address is never written to logs or to disk.
sotvo is not yet released. this page describes the design of the release build, and will be finalized with it.