When pairing, a 256bit key is generated for each session and shared directly between browser and app via the QR code. Our back-end does not see this key.
All interactions between the web client and MySudo are encrypted end-to-end. Our back-end is not permitted to see protected data (eg. contacts, encrypted communications, etc.) transitively or otherwise.