Security
How Vidsync handles your data
Short version: your files stay on your machines, your account credentials never reach the desktop app, and every claim on this page is enforced in code.
Encryption in transit
All sync traffic between devices uses an end-to-end-encrypted peer-to-peer block protocol over TLS; we never see plaintext file bytes in transit. Account API traffic to thevidsync.com is HTTPS-only.
Authentication
Sign-in is handled by Clerk (https://clerk.com). The desktop app never sees your password — it receives a long-lived bearer token (vsk_…) minted server-side after you authenticate in your system browser. Tokens are revocable from your account.
Device verification
Every new device that signs in is registered to your account. If you sign in from an unfamiliar device, we send a one-time code to your email address before granting access — even if the person trying knows your password.
What we store
Your account record (email, Stripe customer ID, subscription state), your project metadata (names, member lists), and your device registry (device names, last-seen timestamps, sync status). We do NOT store the file contents you sync — those move peer-to-peer between your machines.
Reporting a vulnerability
If you believe you've found a security issue, please email security@thevidsync.com with steps to reproduce. Please don't post it publicly first — we want to fix it for everyone before details circulate.
Last reviewed: July 2026