Cloud Sync (PowerSync)
TensorPM is offline-first. Cloud sync is optional and workspace-based.
Local vs cloud workspace model
- Local workspace: data stays on device
- Cloud workspace: data syncs across devices and team members
Cloud workspaces are end-to-end encrypted in transit and at workspace-content level. All sensitive project content is encrypted with XChaCha20-Poly1305 (256-bit keys) before leaving your device. Workspace keys are distributed via X25519 sealed envelopes. Our servers never see plaintext. See Encryption & Security for full technical details.
When sync is active
Sync becomes active when all required conditions are true:
- you are in a cloud workspace
- you are authenticated
- workspace access is valid (subscription or seat-based access)
Free users can still sync inside shared workspaces when they have granted seat access.
Sync status labels in the app
The status indicator can show:
- Local
- Live
- Log in
- Upgrade
- No access
- Keyring
- Offline
- No network
- Error
- Pending
During connecting/syncing transitions, spinner-only states can appear with no label text.
Disabled reason mapping
Common disabled reasons behind these labels:
- not authenticated ->
Log in
- no subscription/seat entitlement ->
Upgrade
- workspace access revoked ->
No access
- secure storage unavailable for E2E keys ->
Keyring
- network outage ->
No network
Workspace-level E2E state
In workspace management, cloud workspaces can also show intermediate E2E states:
- E2E Setup...
- E2E Pending
- E2E Encrypted
These reflect key bootstrap and key-sharing progress. During setup, your device generates a cryptographic identity. The workspace creator generates the initial workspace key directly; additional devices receive sealed workspace key envelopes from already-authorized devices.
Architecture
TensorPM writes locally first, then syncs in background. This preserves responsiveness and offline usability.
Sync diagnostics in popover
The sync popover can include:
- relative and exact timestamps for last sync/upload/download
- pending encryption setup warnings
- retry action for failed uploads
- restart sync service action
- export diagnostics bundle action
- visible sync issue list with dismiss actions
Conflict behavior
Sync conflict handling is last-write-wins for concurrent field edits.
Practical guidance:
- avoid editing the same fields on multiple devices at the same time
- let sync settle before disconnecting secondary devices
Shared workspaces and seats
Shared workspaces support invitations and roles. Cloud/Pro users can collaborate directly. Free users may collaborate through assigned team seats.
If sync is unavailable
Common causes:
- not signed in
- no cloud/pro entitlement and no seat access
- workspace access revoked
- secure key storage unavailable on device
- temporary network outage
Encryption architecture
Cloud Sync uses zero-knowledge end-to-end encryption:
- All sensitive workspace content is encrypted client-side with XChaCha20-Poly1305 (AEAD, 256-bit keys)
- Each device has a unique X25519 keypair; workspace keys are distributed via sealed envelopes
- Servers store only ciphertext and cannot decrypt your data
- Optional password-based escrow recovery uses Argon2id key derivation
- If all devices and recovery methods are lost, encrypted data cannot be recovered
For algorithms, key management, data flow diagrams, and security properties, see Encryption & Security.
Next steps
- Encryption details: Encryption & Security
- Plan and account details: Account & AI Modes
- Initial setup: Getting Started
- Recovery actions: Troubleshooting