Unexposed — Mzed Studio case study

Client-side encrypted document vault with zero-knowledge architecture.

Overview

A zero-knowledge document vault that encrypts files in the browser before upload, so the platform itself can never read them.

The problem

Teams handling HIPAA-sensitive records, legal contracts, and financial documents need encrypted storage with verifiable zero-knowledge architecture — not a host that can peek at files.

What we built

• AES-256-GCM client-side encryption with a three-layer key hierarchy (document, account, infrastructure)
• Zero-knowledge architecture — documents are encrypted before they ever leave the browser
• Passwordless authentication via WebAuthn passkeys and biometrics
• Secure sharing with time-limited links, password protection, and full access audit logs
• Document request workflows that collect files from external parties with no account required
• In-browser PDF and image viewer that decrypts only in memory

Stack

Next.js 16, React 19, TypeScript, Prisma / Postgres, AWS S3, Better Auth, Tailwind CSS, Trigger.dev

Industry: Security, SaaS, E2E

Designed, built, and shipped end-to-end by Mzed Studio.