Skip to content
PrivateAI
← Back to Home
Privacy Workflow

Running Local AI? Your Files Are Still Exposed — Here's the Gap Nobody Talks About

11 min read min readBy PrivateAI Team

The Anatomy of a Privacy Leak in a "Private" AI Stack

Here's a typical local LLM setup among privacy-conscious developers and researchers in 2026:

  • Inference: Ollama or LM Studio running a Llama or Mistral model locally
  • Interface: Open WebUI or a custom Python frontend, no external API calls
  • RAG documents: A folder of PDFs, markdown notes, code snippets, and client files
  • That folder: Synced in real-time to Dropbox or Google Drive

The last point is where things go sideways. The local LLM never sees the network. The documents it reads, however, are continuously uploaded to a server where the provider holds the decryption keys.

What does that mean practically?

Dropbox's terms of service grant them a license to use your content to "develop and improve" their products. Google Drive scans your files for policy violations — which also means their systems can parse the content. OneDrive is subject to Microsoft's broad data retention and government cooperation policies.

None of these services are negligent. They're operating exactly as designed. The design just doesn't align with data sovereignty goals.

If you're using AI to process client contracts, medical records, proprietary research, financial models, or anything with regulatory implications — the inference being local is necessary but not sufficient.

What "Zero-Knowledge" Actually Means (And What It Doesn't)

The phrase "end-to-end encrypted" gets used loosely. Let's be precise.

Standard cloud encryption means your data is encrypted in transit (SSL/TLS) and encrypted at rest on the provider's servers. The provider controls the encryption keys. They can decrypt your files. A court order, a data breach affecting their key management, or a rogue employee with elevated access could all expose your data.

Zero-knowledge encryption means your data is encrypted on your device before it ever leaves. The provider receives ciphertext. They do not hold, and have never held, the plaintext encryption key. They cannot decrypt your files even if compelled to do so. A court order produces a useless blob.

The architecture difference matters enormously. It's the difference between trusting a company's current security posture and trusting mathematics.

There's a trade-off: zero-knowledge storage typically cannot offer full-text search across your files (because searching requires decryption, and the server can't decrypt). Some providers solve this with client-side indexing. It's worth knowing before you switch.

What zero-knowledge does not protect against: your device being compromised, weak passwords, or a malicious process on your local machine exfiltrating files before they're encrypted. Zero-knowledge closes the server-side exposure vector. Your local security posture is still your responsibility.

Why AI Workflows Are Specifically High-Risk for Cloud Exposure

People who run local AI tend to process unusually sensitive documents. That's often the reason they're running local AI in the first place.

Consider the data patterns:

Lawyers and paralegals using AI to summarize deposition transcripts or draft contract language. Those documents are privileged. Uploading them to standard cloud storage may technically violate attorney-client privilege, depending on jurisdiction and bar association guidance.

Medical professionals using AI for note-taking assistance, symptom pattern analysis, or literature review. PHI processed or stored in a non-BAA cloud service is a HIPAA exposure.

Security researchers with exploit proofs-of-concept, vulnerability notes, or client penetration testing reports. These are exactly the files you don't want a cloud provider scanning for "policy violations."

Consultants and freelancers with client NDA-covered materials, financial projections, or unreleased product specs. The NDA you signed likely covers where you store data.

Journalists and investigators with source materials, communications, and draft stories. The cloud provider is a subpoena target.

The common thread: the more seriously you take AI-assisted work, the more sensitive the input documents tend to be. Standard cloud sync was built for convenience, not for this.

What to Look for in a Cloud Storage Solution for AI Workflows

When evaluating zero-knowledge cloud storage specifically for AI workflows, the relevant criteria are different from general consumer use:

Client-side encryption by default — not as an opt-in feature. If E2EE is a toggle you have to turn on, you'll eventually forget to turn it on for a folder that matters.

End-to-end encrypted sharing — the ability to share files or folders with collaborators without the provider being able to read them. This matters when you need to hand off AI outputs to clients or teammates without exposing the contents to the storage provider.

Cross-platform sync — if your AI runs on a Linux server but you review outputs on macOS, you need sync that works cleanly across both without requiring browser-based workarounds.

Version history — AI workflows produce a lot of intermediate outputs. Version history lets you roll back to a previous state of a document without relying on your model's context window.

Audit logs — for anyone with compliance obligations, knowing exactly when files were accessed and from where is table stakes.

Granular permissions — you may want to share a folder of AI outputs with a client but keep your prompt templates or RAG source documents private. Folder-level access controls matter here.

Tresorit: Zero-Knowledge Storage Built for Professional Use

Tresorit is a Swiss-based encrypted cloud storage platform that has been end-to-end encrypted since its founding in 2011. It's worth noting that they've been at this longer than most of the "privacy-first" storage options that emerged after the Snowden revelations — zero-knowledge is the architecture, not a marketing pivot.

The relevant technical details:

Encryption: AES-256 with client-side key generation. Your master key never leaves your device. Tresorit's servers receive and store ciphertext only.

Zero-knowledge by design: Tresorit cannot access your files, cannot produce readable versions in response to law enforcement requests, and cannot use your data to train or improve their systems. Swiss law provides additional procedural protections.

End-to-end encrypted sharing: When you share a "tresor" (encrypted folder) with a collaborator, you share the decryption key directly with their device — not via the server. The server facilitates the key exchange but does not hold the key.

Audit logs: Available on Business and Enterprise plans. Every file access, download, and share event is logged and timestamped.

Cross-platform: macOS, Windows, Linux, iOS, Android, and a browser interface. The Linux client is a first-class citizen, not an afterthought — relevant if your AI inference runs on a Linux box.

Version history: 180 days on standard plans. Extended versions are available on higher tiers.

For an AI-specific workflow, the practical setup looks like this:

  1. Move your RAG document library into a Tresorit folder
  2. Point your RAG pipeline at the local sync path (e.g., ~/Tresorit/RAG-docs/)
  3. Your documents are now zero-knowledge synced across devices — Tresorit sees encrypted blocks, never plaintext

Your local LLM reads the files from the local path. The sync happens transparently. The behavior from the AI pipeline's perspective is identical to a standard Dropbox folder. The privacy posture is entirely different.

Recommended

Zero-knowledge encrypted cloud storage built for professional workflows. AES-256, Swiss privacy law, and E2EE sharing. Free trial available.

Tresorit

Try Tresorit Free

Affiliate Disclosure: This article may contain affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in. This helps support our work and allows us to continue providing free content.

Practical Migration: Moving Your AI Workflow to Zero-Knowledge Storage

This doesn't have to be a weekend project. The migration path is straightforward.

Step 1: Audit what's actually in your current cloud sync

Before moving anything, know what you have. Run a quick find on your synced folders:

```bash

find ~/Dropbox ~/Google\ Drive -name ".pdf" -o -name ".docx" -o -name "*.txt" | wc -l

```

This gives you a sense of scale. You're looking for anything you'd be uncomfortable with the storage provider being able to read.

Step 2: Identify your AI-adjacent folders

Which folders does your AI tooling actually touch? Common candidates:

  • RAG document library
  • AI output/drafts folder
  • Prompt template library
  • Model configuration files (.env files, config JSONs)
  • Client materials used as context

Step 3: Migrate high-sensitivity folders first

You don't have to move everything. Start with the folders your AI pipeline reads from, and any folders containing client data or regulated information. Move those to Tresorit. Leave lower-sensitivity content in your existing cloud storage if you prefer — a hybrid setup is fine.

Step 4: Update your AI pipeline paths

Your Tresorit folder syncs to a local path on each device. Update any hardcoded paths in your RAG configuration, LlamaIndex document loaders, or automation scripts to point to the new location.

```python

Before

documents = SimpleDirectoryReader("~/Dropbox/RAG-docs").load_data()

After

documents = SimpleDirectoryReader("~/Tresorit/RAG-docs").load_data()

```

Step 5: Verify sync before removing originals

Give it 24 hours. Confirm the files appear correctly on your secondary device. Then remove the originals from the old cloud storage.

The Compliance Angle: When "Best Effort" Isn't Enough

For most privacy-focused personal use, the threat model is about minimizing corporate data collection and protecting sensitive personal files. Zero-knowledge storage is a strong measure for that goal.

For professional use, there's also a compliance dimension that often gets ignored until it becomes a problem.

HIPAA: If you're in healthcare, the cloud storage you use for files containing PHI needs a Business Associate Agreement (BAA). Standard Dropbox consumer accounts don't have BAAs. Tresorit offers BAAs for healthcare customers on appropriate plans.

GDPR: If you're processing personal data of EU residents, Article 32 requires "appropriate technical measures" to protect that data. Zero-knowledge encryption is a strong technical measure. The Swiss-EU data transfer framework means Tresorit operates with recognized adequacy.

SOC 2: Tresorit holds SOC 2 Type II certification. If your clients or contracts require demonstrable security controls, this is the kind of attestation that satisfies those requirements.

Legal holds: For enterprises in regulated industries, the ability to produce detailed audit logs of exactly who accessed what and when isn't optional — it's a discovery obligation. The audit logging in Tresorit Business satisfies this.

This isn't about being paranoid. It's about not being the person who gets a call from legal asking why sensitive client materials were sitting in a cloud service with no BAA.

Pricing Reality Check

Tresorit is not the cheapest zero-knowledge storage option. A Solo plan (one user, 2 TB) runs around $30/month. Business plans are higher. There is a free tier with 5 GB to evaluate the product.

The comparison that matters: what's the cost of a data breach involving client materials, a HIPAA violation, or a privileged document being exposed to a cloud provider's scanning systems? For professionals, the risk-adjusted math usually favors paying for proper infrastructure.

For personal use where the threat model is primarily about corporate surveillance rather than regulatory compliance, there are cheaper zero-knowledge options. Proton Drive is solid and starts free. Filen is open-source and very inexpensive. But if your AI workflows involve client work, regulated data, or anything with legal exposure — Tresorit's audit trail and compliance documentation is worth the premium.

Building a Complete Privacy Stack

Zero-knowledge storage is one layer. A complete privacy-first AI workflow also includes:

  • Local inference: Ollama, LM Studio, or llama.cpp for all sensitive document processing
  • Local embeddings: nomic-embed-text or mxbai-embed-large — no API calls to generate embeddings from your documents
  • Network monitoring: Something like Little Snitch (macOS) or OpenSnitch (Linux) to catch any process making unexpected outbound connections
  • Disk encryption: FileVault (macOS) or LUKS (Linux) for the local storage layer
  • Zero-knowledge sync: Tresorit or equivalent for anything that needs to live in the cloud

The goal isn't to be unhackable — no setup achieves that. The goal is to minimize the number of parties who have access to your sensitive data. Standard cloud sync adds a party unnecessarily. Removing it from the stack is the simplest privacy improvement most local AI users haven't made yet.

Last updated: 2026-05-26

Ready to close the storage gap in your local AI setup? Subscribe for more practical privacy stack guides — no surveillance capitalism required.

{/ Email capture CTA /}

Get the Full Privacy Stack Checklist

A practical checklist for every layer of a privacy-first AI workflow — inference, storage, networking, and compliance. No fluff.

{/ EmailSignup component /}