I have just terminated my agreement with Tresorit. I thought this was a wholly Swiss company. However, while using it, I discovered that my data is stored in Ireland and that Azure servers are used. In my opinion, this makes things rather complicated:
Despite the fact that your data is subject to both Swiss privacy law (nDSG) and EU GDPR, the servers running on Azure pose a theoretical risk of CLOUD Act requests for metadata. I hadn’t expected that.
Is this line of thinking justified, or am I worrying about nothing?
If your threat model is so high that you’re worried about the slightest metadata of your specific account (if that’s even possible to extract), then you should not be using Tresorit and any cloud storage at all then. Encrypting your drive locally is more likely better for you. But if cloud storage is absolutely needed, then I don’t know why you did not go with Proton Drive instead - you can access, pay, use privately and anonymously if done right.
I would also like to remind you that you can use any cloud storage service and not worry about metadata or any data if you encrypt and sync with Cryptomator. It’s really the best way to go about it for most threat models.
Tresorit is better for cases where you are operating a business or organization. It’s not bad per say, but the only times where I have used it before was within a business account.
If you’re worried about CLOUD act requests, the very nature of the law means that Tresorit is mostly immune to subpoenas under that label as a Swiss company, but you would also need to consider the location of the data center as they are partnered with Microsoft.
I mostly agree with @JG here, but I wouldn’t discount Tresorit at all. If your threat model includes deanonymization, you may want to not use any cloud-based storage options at all even when considering Proton Drive’s anonymous payment plans. If you DO need cloud-based storage and are worried more so about Cloud Act requests, both providers work with slight edge for Tresorit because of business/enterprise workflows. Proton Drive may work for you on a case by case basis, so try both and see which ones work better for you.
NSA monitor and log every cable that enter and leave the US and probably half of eurole too due to secret deals with tcom providers. But If ur threat model is state terrorist or big narc type shit, then you should ateast not trust encryption that service provider handles and then metadata is likely not usable anymore (as suggested cryptomator).
btw this is not meant as a front. you can be as paranoid as you want for me, but yeah if you go this route look at better solutions then provider handled (even if zero knowledge) encrypted cloud storage.