What we see, and when

A cryptography company that does not tell you exactly what its server sees is asking for trust on vibes. Here is the full table. Every surface, what data the server receives in the request, whether we persist it, and where the work is actually done. The same question on every row: do we ever hold the plaintext or the password?