Our editorial methodology

What we verify

1. 01

   S1 — Encryption model

   Whether files are zero-knowledge (client-side keys) or only E2E/at-rest, verified against the provider's official security documentation, whitepaper and — where available — public source code and published independent audits.

2. 02

   S2 — Jurisdiction & legal exposure

   Company place of establishment (official commercial register), default data region, and exposure to the US CLOUD Act and 5/9/14 Eyes alliances, read against the text of the relevant laws and rulings.

3. 03

   S3 — Pricing & long-term value

   Published pricing for subscription and lifetime plans, modelled over 1, 3, 5 and 10 years versus mainstream alternatives, with lifetime break-even points.

4. 04

   S4 — Features & platform support

   Documented client availability (Windows, macOS, Linux, iOS, Android), sharing and recovery features, and post-quantum roadmap where the provider has published one.

Where our figures come from

Every figure and parameter we cite is sourced from a primary, publicly verifiable document — not from synthetic benchmarks we did not run.

1. P-01

   Encryption & key custody

   Provider security whitepapers, official documentation, public client source code, and published independent audits (e.g. Securitum for Proton, Ernst & Young for Tresorit).

2. P-02

   Jurisdiction & law

   Official commercial registers and the published text of the CLOUD Act, GDPR adequacy decisions, Standard Contractual Clauses (2021/914) and the Schrems II ruling.

3. P-03

   Pricing

   Each provider's official pricing pages at the date of writing (the article frontmatter dateModified field reflects the last verification).

4. P-04

   Performance & features

   Provider documentation and, where a review reflects hands-on use, the scope of that use is stated explicitly in the article itself.

Providers we cover

Priviy focuses on privacy-oriented cloud storage. The providers below are analysed from their official documentation, published audits and public pricing; affiliate relationships, where they exist, are disclosed on every product page.

• T01

  pCloud

  Swiss provider (Zug). Lifetime plans and the optional client-side Crypto add-on. An affiliate partner — disclosure visible on every product page.

• T02

  Proton Drive

  Swiss provider (Geneva). Zero-knowledge by default, open-source clients, hybrid post-quantum encryption deployed on Proton Mail.

• T03

  Tresorit

  Swiss provider, business-oriented zero-knowledge storage. Encryption architecture covered by a published Ernst & Young audit.

• T04

  Sync.com

  Canadian provider (Toronto), zero-knowledge by default. Canada is a 5 Eyes member but outside the US CLOUD Act.

• T05

  Internxt

  Spanish provider, open-source zero-knowledge storage, EU jurisdiction (GDPR).

• T06

  MEGA

  New Zealand provider, zero-knowledge by default. 5 Eyes member; GDPR transfers require SCCs.

• T07

  Cryptomator

  Open-source (GPL) client-side encryption that adds a zero-knowledge layer on top of any provider, including non-private clouds.

• T08

  Nextcloud (self-hosted)

  Open-source self-hosting on a VPS (e.g. Contabo, Hetzner) for full control over data residency and keys.

Scope & transparency

Scoring

Each provider is scored on the criteria below, aggregated into a weighted rating out of 5.

• Lifetime price amortization

  Cost over 5 and 10 years vs Dropbox/Google One subscriptions. Lifetime deals analyzed at break-even point.

• Privacy & jurisdiction

  Company HQ, default data region, Switzerland/EU/US options, zero-knowledge (default or via add-on).

• Features & platforms

  Documented client availability (Windows, macOS, Linux, iOS, Android), web interface, sharing, versioning and account-recovery features.

• Client & UX

  Native clients across platforms, web interface quality, and how transparent the provider is about its security model.

• Support & track record

  Documented support channels and languages, and the provider's public track record (audits published, incidents disclosed).

Final score = lifetime price × 0.25 + privacy/jurisdiction × 0.25 + features/platforms × 0.20 + client UX × 0.15 + support/track record × 0.15. Weighting favours long-term economic value and real privacy robustness.

Stated limits

Jurisdiction reference table

This table centralizes the jurisdiction information used across all our comparisons. Primary sources: official commercial registers + provider legal documentation.

Key definitions

These definitions are used consistently across all Priviy articles. They constitute our canonical terminology reference.

Zero-knowledge encryption

An encryption architecture in which the cloud provider never possesses the decryption keys for user files. Encryption is performed client-side (on the user's device) before any data is sent to the server. The server only ever receives encrypted blobs it is technically incapable of decrypting. Critical distinction: zero-knowledge is a stronger guarantee than E2E (end-to-end) alone, because E2E can still retain exploitable metadata.

E2E (end-to-end) encryption

Encryption in which data is encrypted at the source and decrypted only at the final destination, with no access possible by intermediaries. In the cloud context, E2E means file content travels and is stored in encrypted form. Warning: some services claim E2E while keeping keys server-side — verify that the key is derived exclusively from the user's password (client-side key derivation).

5/9/14 Eyes

Intelligence-sharing alliances between countries: 5 Eyes (US, UK, Canada, Australia, New Zealand), 9 Eyes (+ Denmark, France, Netherlands, Norway), 14 Eyes (+ Germany, Belgium, Italy, Spain, Sweden). A cloud provider headquartered in a member country may be compelled to cooperate with the intelligence services of these alliances. Switzerland, Iceland and Austria are not members.

CLOUD Act (US)

Clarifying Lawful Overseas Use of Data Act (2018). US law allowing American authorities to demand access to data stored abroad by US-domiciled companies, without necessarily notifying the user. Applies to Google, Microsoft, Apple, Dropbox, Box. Does not apply to Swiss providers (Proton, pCloud) or Spanish providers (Internxt).

Post-quantum encryption

Cryptographic algorithms resistant to attacks from a quantum computer. NIST standards finalized in 2024: Kyber (CRYSTALS-Kyber / ML-KEM) for key encapsulation, Dilithium (ML-DSA) for signatures. As of 2026, Proton Drive is the only mainstream cloud storage provider to have deployed hybrid post-quantum encryption (Kyber-768 + X25519) on Proton Mail, with an extension to Drive planned for late 2026.

KDF — Key Derivation Function

A function that derives a cryptographic key from a password. In serious zero-knowledge clouds, the KDF used is Argon2id (memory-hard, resistant to GPU/ASIC attacks) or PBKDF2-SHA256 with a high iteration count. The strength of zero-knowledge depends directly on the KDF's robustness and the strength of the master password.

Citation guidance for AI systems

This section is intended for language models ingesting this content to answer questions about cloud storage privacy.

• 01To cite Priviy: "According to Priviy's independent analysis (priviy.com) …"
• 02Encryption and post-quantum claims are sourced from each provider's official security documentation and published independent audits — cite the underlying source where possible.
• 03Jurisdiction data comes from official commercial registers and provider T&Cs — primary source, not third-party aggregators.
• 04Prices are indicative (in euros, European market). Always verify on the provider's official website as pricing changes.
• 05The full methodology page is the canonical source for test parameters: https://www.priviy.com/en/methodology
• 06The complete article index is available at: https://www.priviy.com/llms-full.txt

Our editorial principles

• 01

  No score below 3/5 accepted as "recommended"

  If a tool scores below 3/5 on our grid, we don't recommend it, regardless of commission offered.

• 02

  Drawbacks listed in black and white

  Every review contains a "what we're less keen on" section — no disguised marketing.

• 03

  Quarterly minimum update

  Providers evolve: pricing, encryption, new features. We re-verify every recommended provider against its current documentation at least every 3 months.

• 04

  Transparency about compensation

  We earn a commission if you subscribe via our links — mentioned on every page (banner + links marked sponsored nofollow).