CryptPad

What Is CryptPad?

Most collaboration tools ask you to trust them with your data. Google asks you to trust that it will not mine your documents for advertising insights. Microsoft asks you to trust that its cloud infrastructure is secure. Even self-hosted solutions ask you to trust that the software does what it claims and that your server administrators will not peek at sensitive files.

CryptPad asks you to trust mathematics instead.

Built by XWiki SAS in Paris and funded in part by European research grants from NGI (Next Generation Internet) and BPI France, CryptPad is a collaboration suite where every document, spreadsheet, presentation, kanban board, whiteboard, and form is end-to-end encrypted before it leaves your browser. The server stores only encrypted blobs. It never sees your encryption keys. Even the server administrators -- even the developers at XWiki -- cannot read your content. This is not a marketing claim about policy; it is a cryptographic property of the architecture. The server is structurally incapable of accessing your data.

This zero-knowledge design makes CryptPad unique among collaboration suites. Google Docs, Notion, Confluence, and even most self-hosted alternatives store your content in plaintext on the server. CryptPad does not. For journalists protecting sources, lawyers handling privileged communications, activists organising in hostile environments, researchers working with sensitive data, or any organisation that takes "data minimisation" seriously, CryptPad offers a guarantee that no other mainstream collaboration tool can match.

The trade-off is real: end-to-end encryption imposes constraints on what the platform can do. Server-side search is impossible when the server cannot read content. Import/export of Microsoft Office formats is limited because conversion would require the server to process plaintext. Integrations with external tools are minimal because sharing data with third parties defeats the purpose. CryptPad does not pretend these limitations do not exist. The question is whether the privacy guarantee is worth the feature constraints. For some users, it unequivocally is.

Key Features

Zero-Knowledge Encryption on Every Document Type

CryptPad provides a surprisingly complete set of document types -- rich text documents, spreadsheets, presentations, kanban boards, whiteboards, code/Markdown editors, and forms -- all protected by end-to-end encryption. Content is encrypted in your browser using keys derived from the document URL fragment (the part after the # symbol, which is never sent to the server). Collaborators who receive the full link can decrypt the content; the server cannot.

This encryption model means that CryptPad is fundamentally different from "encrypted at rest" claims made by other cloud providers. When Google says your files are encrypted at rest, it means Google holds the encryption keys and can decrypt your data at will (or when compelled by law). When CryptPad says your data is encrypted, it means the encryption keys exist only in the browsers of authorised collaborators. The server literally cannot comply with a data access request because it does not possess the keys.

No-Account Collaboration via Shared Links

One of CryptPad's most practical features is the ability to collaborate without requiring accounts. You create a document, share the link, and anyone with the link can view or edit it -- no registration, no email verification, no identity disclosure. This makes CryptPad exceptionally useful for ad-hoc collaboration with external parties, quick feedback sessions, or situations where participants prefer anonymity.

Registered accounts are needed for persistent file management via CryptDrive (CryptPad's encrypted file storage) and for maintaining access to documents across sessions. But the ability to invite a collaborator by simply sharing a URL, with no software installation or account creation, removes friction that can kill adoption of more complex tools.

CryptDrive: Encrypted File Storage

CryptDrive is CryptPad's personal and team file management system, providing encrypted storage for all your documents, uploaded files, and shared folders. The file system supports folders, favourites, tags, and a recent items view. Team management features allow organisations to create shared workspaces where members can collaborate on documents within a common encrypted space.

The free tier includes 1 GB of encrypted storage, which fills quickly if you work with media-rich documents or upload attachments. Paid plans increase storage to 5 GB (Individual) and 50 GB (Team). For heavy users, particularly teams collaborating on many documents simultaneously, the storage limits can become a practical constraint. Self-hosting eliminates this limitation entirely.

Self-Hosting for Complete Control

CryptPad is open-source under AGPL v3, and the self-hosted option is a fully functional deployment that removes all storage limits and user restrictions. The installation process is straightforward for anyone comfortable with Node.js applications, and the project provides Docker images for simplified deployment.

Self-hosting CryptPad adds an additional layer of sovereignty on top of the zero-knowledge encryption: not only can the server not read your data, but you control the server itself. For organisations with the technical capacity to manage a Node.js application, self-hosted CryptPad provides arguably the strongest data protection posture of any collaboration tool available.

Destroyable Documents with Expiration

CryptPad allows documents to be created with expiration timers. Once the timer expires, the encrypted data is deleted from the server. Combined with zero-knowledge encryption, this provides a form of guaranteed data destruction: the encrypted content is removed, and since the server never held the decryption keys, recovery is impossible. For sensitive one-time communications, temporary project collaboration, or any scenario where data should not persist, this is a powerful feature with no equivalent in mainstream collaboration tools.

Pricing

CryptPad's pricing is structured around the flagship hosted instance at cryptpad.fr. The free tier includes 1 GB of encrypted storage with access to all document types and real-time collaboration. CryptPad Pro for individuals costs approximately EUR 5 per month for 5 GB of storage and priority support. The Team plan at around EUR 15 per month provides 50 GB of shared encrypted storage with team management features.

Self-hosting is free and unlimited. If your organisation has the technical capacity to run a Node.js application on a Linux server, you can deploy CryptPad with no storage limits, no user limits, and no ongoing subscription costs. The only expense is the server infrastructure itself.

Our value assessment scores CryptPad 8.5 out of 10 for value. The free tier is genuinely functional for individual use and small-scale collaboration. The self-hosted option makes it one of the most cost-effective collaboration platforms available for organisations with technical staff. Paid plans on the hosted instance are affordable, though the storage limits can push teams toward self-hosting faster than expected.

The comparison to other collaboration tools is complicated by CryptPad's privacy focus. You are not just paying for document editing -- you are paying for zero-knowledge encryption. If privacy is not a priority, free tools like Google Docs offer more features and more storage. If privacy matters, CryptPad's pricing is exceptionally reasonable for what it provides.

EU Compliance & Privacy

CryptPad achieves a near-perfect 9.5 out of 10 for EU compliance, the highest in its category. The zero-knowledge architecture means that in a meaningful sense, CryptPad exceeds GDPR requirements rather than merely meeting them. Because the server never processes plaintext personal data, the data protection obligations that apply to the service operator are fundamentally different from those of a traditional cloud service.

CryptPad is developed by XWiki SAS, a French company based in Paris. The flagship hosted instance (cryptpad.fr) runs on EU infrastructure. There is no tracking, no analytics on user content, and no data collection beyond what is necessary for the service to function. The AGPL v3 licence ensures the source code is available for independent security audits.

The EU connection runs deeper than corporate structure. CryptPad's development has been partially funded by European grants including NGI (Next Generation Internet) and BPI France, reflecting the EU's strategic investment in sovereign, privacy-respecting digital infrastructure. This is not a company that added GDPR compliance as an afterthought -- privacy is the product.

Who It's Best For

Journalists and media organisations that need to collaborate on sensitive stories, protect source identities, and ensure that document content cannot be accessed even if servers are seized.

Lawyers and legal teams handling privileged communications where end-to-end encryption provides an additional layer of protection beyond standard confidentiality obligations.

Privacy-conscious organisations and NGOs that operate on the principle of data minimisation and want to ensure that their collaboration platform structurally cannot become a data liability.

Technical teams with self-hosting capability that want a zero-cost, fully encrypted collaboration suite with no external dependencies or data transfer to third parties.

The Verdict

CryptPad is not a Google Docs replacement for most people. Its document format support is limited. Its performance degrades on large documents. Its integration ecosystem is essentially nonexistent. The 1 GB free storage fills quickly. If you judge it purely on features, it loses to nearly every mainstream competitor.

But that judgement misses the point entirely. CryptPad is the only collaboration suite where the server is cryptographically incapable of reading your documents. For users and organisations where that property matters -- and there are more of them than the mainstream tech industry acknowledges -- CryptPad is not merely competitive; it is without equal. The EU funding behind its development signals that Europe recognises the value of tools like this. Whether it suits your needs depends on one question: is privacy a feature you want, or a requirement you need?

Frequently Asked Questions

Can CryptPad open Microsoft Word or Excel files?

CryptPad has limited support for importing and exporting standard document formats. The rich text editor can import basic HTML and export to HTML. Spreadsheets and presentations use CryptPad's own formats. There is no native docx, xlsx, or pptx import/export because performing format conversion would require the server to access plaintext content, which contradicts the zero-knowledge architecture. This is one of the most significant practical limitations for organisations that exchange documents with external partners using Microsoft Office.

Is CryptPad suitable for large teams or enterprises?

CryptPad can serve small to medium teams effectively, particularly when self-hosted. The team management features support shared workspaces, role-based access, and folder sharing. However, the platform lacks enterprise features like SSO (except on self-hosted with custom configuration), administrative consoles, and compliance reporting that larger organisations typically require. For teams of 5-50 people with strong privacy requirements, CryptPad is excellent. For enterprises with hundreds of users needing IT-managed deployment, the tooling is not yet mature enough.

How does CryptPad compare to Notion?

Notion is a feature-rich workspace with databases, wikis, project management, and a vast integration ecosystem. CryptPad is an encrypted collaboration suite with basic document types and minimal integrations. The products serve different needs. If you want a flexible, feature-rich team workspace and trust your provider with your data, Notion is more capable. If you need zero-knowledge encryption and are willing to accept feature constraints, CryptPad is the only option in this category.

What happens if I lose my CryptPad password?

Because CryptPad uses zero-knowledge encryption, your password is part of the key derivation process. If you lose your password, CryptPad cannot recover your account or your encrypted documents. The server does not have the keys. This is by design -- it is the same property that protects your data from unauthorised access. Treat your CryptPad password with the same seriousness as a cryptocurrency wallet seed phrase.

Can I use CryptPad for GDPR-sensitive data processing?

CryptPad is arguably the strongest GDPR compliance tool in its category. Because the server never processes plaintext personal data, the data controller obligations around data processing are fundamentally simplified. When self-hosted, the organisation controls the entire infrastructure and can demonstrate that personal data in documents is never accessible to the service operator. For Data Protection Impact Assessments, CryptPad's zero-knowledge architecture provides a uniquely strong position.