Verified purchaser
TransferChain Pass: Strong Foundation, Some Gaps for Team Deployment
Hi TransferChain Team,
After the team responded to my initial review with detailed clarifications, I wanted to update my assessment fairly. They’ve cleared up several points I misunderstood, and I genuinely appreciate their transparency and willingness to engage.
Security & Certifications:
The team clarified that their controls align with SOC 2 Trust Service Criteria and they run annual third-party penetration testing. That’s solid foundational work. Formal SOC 2 Type 2 certification is in progress, which is the natural next step. Combined with ISO 27001, they’re clearly taking security seriously and building the right way.
GDPR & Privacy:
They do have a DPA in their Services Agreement and procedures for data subject requests. EU storage is default with configurable options. I should have reviewed their Services Agreement more carefully—that’s fair. I’d just suggest making these compliance details more prominent so customers find them easily.
Features – In Active Development:
The team is actively building some important capabilities:
∙ Mobile apps: In active testing now, launching soon. This is coming and it’s good to see movement here.
∙ Browser extensions: Expanding to Safari and Firefox later this year. Coverage is growing.
∙ 2FA/TOTP for users: Rolling out alongside their mnemonic protection. They’re thinking through how to do this in a way that fits their zero-knowledge architecture.
∙ Team collaboration: Major Collections redesign in progress. They’re investing in making sharing and permissions work better.
∙ Breach detection: Working on client-side approach so it fits their architecture. This is thoughtful engineering.
∙ UI/UX: Still evolving. There’s room for polish on the extension interface, but that’s normal for a platform still building out features.
Real Assessment:
You’re building something with genuine security and privacy foundations. Your team clearly cares about getting this right, and your commitment to transparency shows that. You’re not trying to cut corners—you’re investing in doing things properly.
You’re in active development, which means some features are coming soon rather than available today. That’s honest context for anyone evaluating whether to adopt now or wait a few months. If you need everything fully built out today, you might want to revisit in 6 months when mobile apps are live and more features are shipped. But if you’re looking for a privacy-first approach and can work with an evolving platform, there’s real value here.
I appreciate you taking user feedback seriously and engaging directly. That kind of responsiveness makes a real difference. Keep pushing forward on the roadmap—you’re heading in the right direction.
With kind regards,
Michael
Ps. Is it possible to automatically enable the 5gb of storage for free drive users that are now early adopters. It’s now not visible on the dashboard. Might want to take a deep dive.
PPS.since Switzerland is changing its privacy rules are you considering outsourcing to DE or elsewhere
PPPS. Maybe it’s best to market the tool as a tool without AI, seeing that proton now has their “dirty”
MertBaser_TransferChain
Feb 19, 2026Hi Michael,
First of all, thank you for taking the time to write such a detailed and constructive review. I genuinely appreciate you recognizing our unique security foundation.
Let me address your points in detail.
1) SOC 2 & Independent Verification
You are absolutely right that SOC 2 is a widely recognized benchmark.
To clarify, our security controls, logging mechanisms, access management and encryption standards, are already designed in alignment with the SOC 2 Trust Service Criteria. In several areas, particularly around data custody, our zero-knowledge and client-side architecture structurally exceeds the assumptions of traditional centralized systems typically evaluated under SOC 2.
What we have not yet completed is the formal third-party SOC 2 certification process itself. That is a matter of timing and audit engagement, not the absence of controls.
It is also important to clarify that we conduct third-party penetration testing annually in addition to continuous internal security testing.
2) GDPR, DPA, and Compliance Documentation
I would also like to also clarify this point:
We do provide a Data Processing Agreement (DPA), and it is contractually referenced in our Services Agreement. Where TransferChain acts as a processor, processing is governed under that DPA in accordance with GDPR requirements.
Our Privacy Policy and Services Agreement (https://transferchain.io/servicesagreement) clearly outline data subject rights and provide contact mechanisms for exercising those rights. We also operate with defined internal procedures for handling GDPR requests within regulatory timelines.
Regarding data transfers and SCCs:
By default, all TransferChain data is stored within the European Union. We are a Swiss-based company operating under European data protection standards, and EU storage is the default configuration.
For enterprise customers, data residency is configurable.
Organizations may choose:
• EU-based storage
• A specific regional zone
• Private cloud
• Fully on-premise deployment
If data remains entirely within the EU, Standard Contractual Clauses are not required.
If enterprises select a non-EU region, data is strictly stored within the customer-selected zone and does not move outside that environment.
In fully on-premise deployments, data never leaves the customer’s own infrastructure.
Additionally, due to our client-side end-to-end encryption and zero-knowledge architecture, TransferChain does not have access to decrypted customer data. This significantly reduces processing exposure compared to traditional custodial SaaS models.
3) Regarding Features
• Mobile apps are currently in active testing.
• We already provide 2FA for the Admin Panel. For end users, each account is protected by mnemonics, which act as a strong security layer since no one can access data without the mnemonic, even if email and password are compromised. That said, we will also introduce 2FA/TOTP for end users.
• We are expanding note types and will continue introducing additional data types.
• Safari and Firefox support are planned for deployment later this year.
• Based on user feedback, we are introducing a major team collaboration upgrade. The redesigned Collections structure will significantly enhance collaboration capabilities.
• Regarding breach detection: Traditional password managers can perform breach monitoring because they store password hashes. In our case, since passwords are client-side encrypted and fragmented, we do not have visibility into hashes either. This has required dedicated R&D. Our approach is to run breach checks on the client side, and we expect to introduce this capability later this year.
4) Additional Notes
• You can follow our quarterly product updates here:
https://blog.transferchain.io/tag/product-updates/
We continuously improve both TransferChain Drive & Pass.
• It is also important to note that we are fundamentally a security and privacy company. We work with large enterprises managing highly sensitive data across sectors such as finance, healthcare, manufacturing, and defense. In our industry, discretion is part of the security model.
• We can always improve support, and we take that seriously. We provide live chat and also arrange calls with customers when needed. Please feel free to reach out to [email protected] and we would be happy to review anything together with our team.
As you mentioned, TransferChain runs on a unique protocol. Because of this architecture, adding features sometimes requires additional engineering time, as nothing is built on a traditional centralized architecture. This is because the utmost priority for us is the security and privacy of your data.
If some of the points above provide additional clarity, we would be grateful if you would consider updating your review to reflect the corrected information. We genuinely value fair and accurate feedback.
Thank you again for your thoughtful feedback.
Kind regards,
Mert