Transparency & Warrant Canary
UnoLock is committed to transparency. This page contains our quarterly warrant canary statement and transparency reports disclosing government data requests, security incidents, and GDPR compliance metrics.
Current Warrant Canary Statement
As of February 5, 2026, Techsologic Inc. certifies that:
Status update: There are no changes to report since the prior update. All items below remain true.
- We have NOT received any National Security Letters (NSLs) from any government agency
- We have NOT received any gag orders from any government agency
- We have NOT received any FISA court orders or similar secret warrants
- We have NOT been compelled to modify our code, systems, or services to enable government surveillance
- We have NOT been subject to any warrant canary gag orders prohibiting this statement
- We have NOT disclosed any user data to any government agency
- We have NOT provided any encryption keys or backdoor access to any third party
Important: This statement will be updated quarterly. If this statement is not updated on schedule, or if specific items are removed, you should assume we have received such requests and are legally prohibited from disclosing them.
Quarterly Transparency Reports
Q1 2026 (January - March 2026)
Published: February 5, 2026
| Government Data Requests: | 0 |
| User Data Disclosed: | 0 bytes |
| Security Incidents: | 0 |
| GDPR Subject Requests: | 0 |
| Uptime: | 99.9% |
Q4 2025 (October - December 2025)
Published: November 2, 2025
| Government Data Requests: | 0 |
| User Data Disclosed: | 0 bytes |
| Security Incidents: | 0 |
| GDPR Subject Requests: | 0 |
| Uptime: | 99.9% |
Future quarterly reports (Q2 2026, Q3 2026, etc.) will be added here as they are published.
What Happens Under a Warrant, Server Seizure, or Device Loss?
UnoLock is designed to protect users against two different failure modes that are often confused: someone taking the device, and someone taking or compelling the service. These are separate threats, and UnoLock is built to reduce both.
On the device side, UnoLock does not intentionally persist plaintext Safe data, decrypted files, or private keys to local device storage as part of its normal operating model. Access requires the user’s WebAuthn credential plus PIN and an active authorized session. On the server side, user vault data is encrypted client-side and stored by the service as ciphertext, so UnoLock cannot read customer plaintext even if legally compelled.
What Device Seizure or Loss Does Not Give an Attacker
- Your readable vault contents from local UnoLock storage
- Your private keys or decrypted files intentionally persisted by UnoLock
- Your full access without the required WebAuthn credential, PIN, and active authorized state
- An offline path to ask UnoLock's server to reveal plaintext vault contents
- A readable backup of your vault from the service just because the device was taken
What Server Seizure or Legal Compulsion Does Not Give the Service
- Your vault contents in plaintext
- Your encryption keys needed to decrypt customer vault data
- Your stored passwords, notes, payment cards, or files in readable form
- Your vault metadata in plaintext
- The ability to retroactively turn stored ciphertext into readable customer data
What We CAN Provide If Legally Compelled
- Limited payment metadata available through Stripe (for example billing email, partial card details, and transaction dates), which is decoupled from Safe records and cannot identify a user's vault contents or link a payment to specific stored data
What This Means in Practice
- If your device is lost or seized, the device alone should not reveal your vault
- If our servers are seized, the service still holds ciphertext rather than readable vault contents
- If we receive a warrant or court order, we can disclose only the limited data we actually possess in readable form
- The system is designed so that taking the device and taking the service are not equivalent to taking your data
- This is an architectural property of the product, not just a policy promise
Bottom Line: UnoLock is designed so that device seizure, device loss, server seizure, and legal compulsion do not provide the same result. Taking the device does not automatically yield the vault, and taking the service does not give readable customer plaintext. That is an architectural property of the system, not merely a policy preference.
What about a forced or malicious client update? UnoLock treats that as a real threat. To reduce it, client releases are signed, production assets are hashed, and client-side source materials can be made available on request for legitimate review. These controls help make malicious updates harder to introduce silently and easier to scrutinize, but no endpoint-encrypted system can promise full protection if a user actually runs a hostile client during active use. In that case, the client could expose data used in that session. What UnoLock’s architecture still prevents is providing the service with retroactive plaintext access to previously stored vault data by default.
Full Q1 2026 Transparency Report
Government & Law Enforcement Requests
| Request Type | Requests Received | Accounts Affected | Data Disclosed |
|---|---|---|---|
| Government Data Requests (Canada) | 0 | 0 | No |
| Government Data Requests (USA) | 0 | 0 | No |
| Government Data Requests (EU) | 0 | 0 | No |
| Government Data Requests (Other) | 0 | 0 | No |
| Law Enforcement Requests | 0 | 0 | No |
| Emergency Disclosure Requests | 0 | 0 | No |
| National Security Letters (NSLs) | 0 | 0 | No |
| FISA Court Orders | 0 | 0 | No |
| Preservation Requests | 0 | 0 | No |
| Takedown Notices (DMCA, etc.) | 0 | 0 | No |
| TOTAL | 0 | 0 | 0 bytes |
Security Incident Disclosures
| Incident Type | Count | Details |
|---|---|---|
| Data Breaches | 0 | No data breaches occurred during this period |
| Unauthorized Access Attempts | 0 | No successful unauthorized access to user accounts |
| Service Disruptions (>1 hour) | 0 | No significant outages |
| Vulnerabilities Disclosed | 0 | No security vulnerabilities reported via security@unolock.com |
GDPR Data Subject Requests
| Request Type | Requests Received | Fulfilled | Avg. Response Time |
|---|---|---|---|
| Right to Access (Article 15) | 0 | 0 | N/A |
| Right to Rectification (Article 16) | 0 | 0 | N/A |
| Right to Erasure (Article 17) | 0 | 0 | N/A |
| Right to Data Portability (Article 20) | 0 | 0 | N/A |
| Right to Object (Article 21) | 0 | 0 | N/A |
Policy & Subprocessor Changes
| Change Type | Description | Date |
|---|---|---|
| Policies | No policy changes during this period | N/A |
| Subprocessors | No changes to subprocessors this period | N/A |
Full Q4 2025 Transparency Report
Government & Law Enforcement Requests
| Request Type | Requests Received | Accounts Affected | Data Disclosed |
|---|---|---|---|
| Government Data Requests (Canada) | 0 | 0 | No |
| Government Data Requests (USA) | 0 | 0 | No |
| Government Data Requests (EU) | 0 | 0 | No |
| Government Data Requests (Other) | 0 | 0 | No |
| Law Enforcement Requests | 0 | 0 | No |
| Emergency Disclosure Requests | 0 | 0 | No |
| National Security Letters (NSLs) | 0 | 0 | No |
| FISA Court Orders | 0 | 0 | No |
| Preservation Requests | 0 | 0 | No |
| Takedown Notices (DMCA, etc.) | 0 | 0 | No |
| TOTAL | 0 | 0 | 0 bytes |
Security Incident Disclosures
| Incident Type | Count | Details |
|---|---|---|
| Data Breaches | 0 | No data breaches occurred during this period |
| Unauthorized Access Attempts | 0 | No successful unauthorized access to user accounts |
| Service Disruptions (>1 hour) | 0 | No significant outages |
| Vulnerabilities Disclosed | 0 | No security vulnerabilities reported via security@unolock.com |
GDPR Data Subject Requests
| Request Type | Requests Received | Fulfilled | Avg. Response Time |
|---|---|---|---|
| Right to Access (Article 15) | 0 | 0 | N/A |
| Right to Rectification (Article 16) | 0 | 0 | N/A |
| Right to Erasure (Article 17) | 0 | 0 | N/A |
| Right to Data Portability (Article 20) | 0 | 0 | N/A |
| Right to Object (Article 21) | 0 | 0 | N/A |
Policy & Subprocessor Changes
| Change Type | Description | Date |
|---|---|---|
| Privacy Policy | Updated support communication clarification, tiered SLAs | Nov 2, 2025 |
| GDPR Policy | Added EU Representative (Max Böhm), complete subprocessor list | Nov 2, 2025 |
| Security Policy | Added vulnerability disclosure program (Section 1.12) | Nov 2, 2025 |
| Data Retention Policy | Added Section 1.6 documenting 72-hour log purge | Nov 2, 2025 |
| Subprocessors | No changes to subprocessors this period | N/A |
Questions About This Report?
General Inquiries: support@unolock.com
Security Reports: security@unolock.com (PGP encouraged - public key)
EU Representative:
Max Böhm
max@techsologic.com
Winterstrasse 4, 22765 Hamburg, Germany
Canadian Data Protection Officer:
support@unolock.com
150 Elgin Street, 8th Floor, Ottawa, ON K2P 1L4, Canada
Report Archive
- Q1 2026: Current Report
- Q4 2025: Archived Report
- Q2 2026: Coming May 1, 2026
- Q3 2026: Coming August 1, 2026
- Q4 2026: Coming November 1, 2026
Last Updated: February 5, 2026
Next Update: May 1, 2026 (Q2 2026 Report)
Report Version: 1.0.0