Security

How Vidsync handles your data

Short version: your files stay on your machines, your account credentials never reach the desktop app, and every claim on this page is enforced in code.

Encryption in transit

All sync traffic between devices uses an end-to-end-encrypted peer-to-peer block protocol over TLS; we never see plaintext file bytes in transit. Account API traffic to thevidsync.com is HTTPS-only.

Authentication

Sign-in is handled by Clerk (https://clerk.com). The desktop app never sees your password — it receives a long-lived bearer token (vsk_…) minted server-side after you authenticate in your system browser. Tokens are revocable from your account.

Device verification

Every new device that signs in is registered to your account. If you sign in from an unfamiliar device, we send a one-time code to your email address before granting access — even if the person trying knows your password.

What we store

Your account record (email, Stripe customer ID, subscription state), your project metadata (names, member lists), and your device registry (device names, last-seen timestamps, sync status). We do NOT store the file contents you sync — those move peer-to-peer between your machines.

Reporting a vulnerability

If you believe you've found a security issue, please email security@thevidsync.com with steps to reproduce. Please don't post it publicly first — we want to fix it for everyone before details circulate.

Last reviewed: July 2026

Download Vidsync