Sortify Workspace Recovery
Sortify is built around a simple recovery rule: your workspace should be recoverable when you sign back in, but Sortify should not need to read your inventory to make that possible.
This article explains the recovery model in plain language. It avoids internal cryptographic detail, but it describes the practical behavior users and administrators should expect.
What Sortify Recovery Protects
A Sortify workspace is encrypted with a workspace key. That key is what allows the app to decrypt rooms, items, notes, history, and other workspace content after sync downloads encrypted data from a cloud provider or from Sortify Cloud.
If the workspace key is lost, the encrypted workspace package or encrypted event stream is still present, but the app cannot read it. Recovery is therefore mostly about safely restoring the right workspace key to the right signed-in user or approved device.
Sortify recovery is designed to help with cases such as:
- a user clears app data and signs in again;
- a user gets a new phone;
- a signed-in user needs to restore workspaces they already belonged to;
- an enterprise member needs an admin-approved replacement key for a trusted device;
- an owner wants removed users to lose future access and recovery ability.
Recovery is not designed to bypass workspace membership, bypass provider permissions, or recover content for someone who no longer has access.
The Main Account Recovery Model
For signed-in users, Sortify stores encrypted recovery material linked to the account. This lets the app restore workspace access after login without storing plaintext inventory data on Sortify servers.
The practical flow is:
- The user signs in.
- Sortify checks whether encrypted account recovery is available.
- If recovery is locked, the app may ask the user to unlock it through the appropriate account/recovery step.
- Sortify discovers active workspace memberships for that account.
- For each recoverable workspace, the app restores the encrypted workspace key envelope addressed to that user.
- The workspace is rebuilt locally by pulling encrypted provider packages or encrypted managed events/checkpoints.
The important privacy boundary is that Sortify stores encrypted recovery envelopes, not plaintext workspace keys. Sortify does not store the user's password as a recovery secret, and Sortify does not receive decrypted workspace contents during recovery.
Local-Only Workspaces
Local-only workspaces are stored only on the device. If a user never signs in and never enables recovery or sync, Sortify cannot restore that workspace after the device is lost, wiped, or uninstalled.
This is intentional. Local-only mode is private and simple, but it comes with the same limitation as any local-only data: no external recovery copy exists.
Provider Workspaces
Google Drive, OneDrive, and Dropbox workspaces store encrypted Sortify packages in the user's selected cloud provider. Recovery for these workspaces may need both of the following:
- the Sortify recovery envelope that restores the workspace key;
- access to the cloud provider file or folder that stores the encrypted workspace package.
For example, signing in to Sortify may restore the workspace key, but Google Drive may still require a targeted Picker authorization before the app can open a shared workspace package created by another member. OneDrive or Dropbox may require reconnecting the provider account if the token expired or was revoked.
Recovery does not silently bypass cloud provider permissions.
Sortify Cloud Workspaces
Sortify Cloud workspaces use Sortify-managed encrypted sync transport instead of a user's Google Drive, OneDrive, or Dropbox account. The local app still encrypts content before upload. Sortify-managed infrastructure stores encrypted events, encrypted checkpoints, membership metadata, join state, recovery metadata, and operational sync information.
When a signed-in user recovers a Sortify Cloud workspace, the app restores the user's workspace key envelope, downloads an encrypted checkpoint and event tail, decrypts them locally, and rebuilds the workspace on the device.
Sortify Cloud recovery still depends on active membership. If the user left the workspace or was removed, recovery should not restore access.
Enterprise Workspace Recovery
Enterprise SyncNative uses the same zero-knowledge transport foundation as Sortify Cloud, but it adds organization and administrator controls.
Enterprise recovery has two layers:
- Account recovery: the normal signed-in user recovery flow restores workspaces the user is still allowed to access.
- Managed workspace recovery: if a device lost its local workspace key, the user can request recovery for that device. A workspace owner or admin can review the request and approve an encrypted replacement key for that member/device.
The admin approval step is important. It gives the organization a human checkpoint before a sensitive recovery action. Admins should approve only after confirming that the requester is the real member and the device should be trusted.
Even in enterprise recovery, Sortify servers do not receive the decrypted workspace key. The server coordinates encrypted recovery material and membership state; decryption happens on the approved user's device.
Leaving, Removal, And Recovery Revocation
Leaving a workspace and deleting an account are different actions.
When a secondary user leaves a shared workspace, the workspace should be removed from their active app view and their future sync access should stop where the backend or provider can enforce it. The owner and other members keep the workspace.
When an owner or enterprise admin removes a member, Sortify can mark that membership removed, block future managed sync access, and revoke that user's recovery envelope where supported. This prevents the removed user from reinstalling the app and recovering the workspace through normal recovery.
There is one important limitation: Sortify cannot physically wipe data from a device that is offline and never reconnects. The app can enforce future access, future sync, and future recovery, but it cannot reach a device that is permanently disconnected.
Account Deletion And Recovery
When a user requests account deletion, Sortify moves the account into a deletion-pending state before permanent cleanup. During that period, sync and new workspace activity can be blocked, recovery envelopes can be marked deletion-pending, and final deletion can later remove or anonymize account-controlled records.
Deleting one user's account does not necessarily delete shared workspaces owned by other active users or enterprise organizations. It removes or schedules deletion of that user's account-controlled data and access records.
What Sortify Cannot Promise
Sortify recovery is strong, but it is not magic. These limits should be clear:
- if a workspace was local-only and never protected, Sortify cannot recover it after device loss;
- if the user loses both the device and the recovery unlock path, recovery may not be possible;
- if a cloud provider account is deleted or access is revoked, provider workspace recovery may require provider-side restoration or reauthorization;
- if a user was removed from a workspace, recovery should not restore that workspace to them;
- if a device remains offline forever, Sortify cannot remotely erase data already cached there.
Best Practices
For personal users:
- sign in if you want recovery;
- enable account/workspace recovery before you need it;
- keep your Sortify account credentials safe;
- keep cloud provider access available for provider-backed workspaces.
For teams and enterprise admins:
- keep workspace membership accurate;
- remove members promptly when they leave the team;
- approve recovery requests only after confirming the user and device;
- use Enterprise control center and workspace settings to monitor access, recovery, and sync health;
- document an internal process for lost devices and departing employees.
Summary
Sortify recovery is designed to restore access without turning Sortify into a plaintext data holder. The app restores encrypted keys to authorized users, then rebuilds the local workspace from encrypted provider packages or encrypted managed sync records.
That gives users and teams a practical recovery path while preserving the core Sortify promise: your inventory content remains encrypted before it leaves your device, and recovery does not require Sortify to read it.