← Back to Sortify
Recovery

Sortify Workspace Recovery

Sortify is built around a simple recovery rule: your workspace should be recoverable when you sign back in, but Sortify should not need to read your inventory to make that possible.

This article explains the recovery model in plain language. It avoids internal cryptographic detail, but it describes the practical behavior users and administrators should expect.

What Sortify Recovery Protects

A Sortify workspace is encrypted with a workspace key. That key is what allows the app to decrypt rooms, items, notes, history, and other workspace content after sync downloads encrypted data from a cloud provider or from Sortify Cloud.

If the workspace key is lost, the encrypted workspace package or encrypted event stream is still present, but the app cannot read it. Recovery is therefore mostly about safely restoring the right workspace key to the right signed-in user or approved device.

Sortify recovery is designed to help with cases such as:

Recovery is not designed to bypass workspace membership, bypass provider permissions, or recover content for someone who no longer has access.

The Main Account Recovery Model

For signed-in users, Sortify stores encrypted recovery material linked to the account. This lets the app restore workspace access after login without storing plaintext inventory data on Sortify servers.

The practical flow is:

  1. The user signs in.
  2. Sortify checks whether encrypted account recovery is available.
  3. If recovery is locked, the app may ask the user to unlock it through the appropriate account/recovery step.
  4. Sortify discovers active workspace memberships for that account.
  5. For each recoverable workspace, the app restores the encrypted workspace key envelope addressed to that user.
  6. The workspace is rebuilt locally by pulling encrypted provider packages or encrypted managed events/checkpoints.

The important privacy boundary is that Sortify stores encrypted recovery envelopes, not plaintext workspace keys. Sortify does not store the user's password as a recovery secret, and Sortify does not receive decrypted workspace contents during recovery.

Local-Only Workspaces

Local-only workspaces are stored only on the device. If a user never signs in and never enables recovery or sync, Sortify cannot restore that workspace after the device is lost, wiped, or uninstalled.

This is intentional. Local-only mode is private and simple, but it comes with the same limitation as any local-only data: no external recovery copy exists.

Provider Workspaces

Google Drive, OneDrive, and Dropbox workspaces store encrypted Sortify packages in the user's selected cloud provider. Recovery for these workspaces may need both of the following:

For example, signing in to Sortify may restore the workspace key, but Google Drive may still require a targeted Picker authorization before the app can open a shared workspace package created by another member. OneDrive or Dropbox may require reconnecting the provider account if the token expired or was revoked.

Recovery does not silently bypass cloud provider permissions.

Sortify Cloud Workspaces

Sortify Cloud workspaces use Sortify-managed encrypted sync transport instead of a user's Google Drive, OneDrive, or Dropbox account. The local app still encrypts content before upload. Sortify-managed infrastructure stores encrypted events, encrypted checkpoints, membership metadata, join state, recovery metadata, and operational sync information.

When a signed-in user recovers a Sortify Cloud workspace, the app restores the user's workspace key envelope, downloads an encrypted checkpoint and event tail, decrypts them locally, and rebuilds the workspace on the device.

Sortify Cloud recovery still depends on active membership. If the user left the workspace or was removed, recovery should not restore access.

Enterprise Workspace Recovery

Enterprise SyncNative uses the same zero-knowledge transport foundation as Sortify Cloud, but it adds organization and administrator controls.

Enterprise recovery has two layers:

The admin approval step is important. It gives the organization a human checkpoint before a sensitive recovery action. Admins should approve only after confirming that the requester is the real member and the device should be trusted.

Even in enterprise recovery, Sortify servers do not receive the decrypted workspace key. The server coordinates encrypted recovery material and membership state; decryption happens on the approved user's device.

Leaving, Removal, And Recovery Revocation

Leaving a workspace and deleting an account are different actions.

When a secondary user leaves a shared workspace, the workspace should be removed from their active app view and their future sync access should stop where the backend or provider can enforce it. The owner and other members keep the workspace.

When an owner or enterprise admin removes a member, Sortify can mark that membership removed, block future managed sync access, and revoke that user's recovery envelope where supported. This prevents the removed user from reinstalling the app and recovering the workspace through normal recovery.

There is one important limitation: Sortify cannot physically wipe data from a device that is offline and never reconnects. The app can enforce future access, future sync, and future recovery, but it cannot reach a device that is permanently disconnected.

Account Deletion And Recovery

When a user requests account deletion, Sortify moves the account into a deletion-pending state before permanent cleanup. During that period, sync and new workspace activity can be blocked, recovery envelopes can be marked deletion-pending, and final deletion can later remove or anonymize account-controlled records.

Deleting one user's account does not necessarily delete shared workspaces owned by other active users or enterprise organizations. It removes or schedules deletion of that user's account-controlled data and access records.

What Sortify Cannot Promise

Sortify recovery is strong, but it is not magic. These limits should be clear:

Best Practices

For personal users:

For teams and enterprise admins:

Summary

Sortify recovery is designed to restore access without turning Sortify into a plaintext data holder. The app restores encrypted keys to authorized users, then rebuilds the local workspace from encrypted provider packages or encrypted managed sync records.

That gives users and teams a practical recovery path while preserving the core Sortify promise: your inventory content remains encrypted before it leaves your device, and recovery does not require Sortify to read it.