From what I understand, the encryption is done client-side per individual item (e.g. if you use a cloud provider, unencrypted data never touches them), but there's some generally questionable stuff in how it handles secure things: https://news.ycombinator.com/item?id=9727297