AxCrypt is made for the following situation:
An encrypted file is made available to the attacker. As long as your password is strong enough, it should withstand all attacks.
What we store on the server, is… an AxCrypt encrypted file. So, if our server is successfully attacked and data is leaked, what the attacker gets are encrypted files.
That being said, your password *is* passed to our servers, but it’s only kept in memory temporarily. Nevertheless we feel the usability enhancements made possible by this outweighs the concerns.
We try to be very open what we do and don’t do.