I read your white paper and other help and couldn't find the answer to my question. If I updated a specific login on one device, regardless of which sync method is used, the local data file on all other devices should be updated to match. My question is, where and how does that happen. I'm assuming that a discrete login entry can't be updated (or does the latest dated one just replace all the others?) while the local data is encrypted.
If so, then where is the data file located when it is decrypted for modification. Is it on the client, as your security assurances would suggest, or on a server (Agile, iCloud, Dropbox, WLAN) somewhere? As I understand the way general syncing systems work, a star configuration is preferred where some central server entity is the "master" and each surrounding client entity is synced with the master in a round-robin fashion. At the completion of two rounds, all should have the same data. There are two ways this could be done, the first is preferred. The master file could be sent to the client which decrypts the master's data and its local copy, does the sync modifications, and sends the encrypted update back to the server to become the new master. The round robin then proceeds to the next client. The second less preferred method is the opposite, the client data is sent to the server and the server decrypts and synchronizes. This seems to be in violation of your security principles if unencrypted data ever exists on the server.
Does !PW operate as I described in a star type configuration and if so, does unencrypted data only ever exist on the client? Is the same mechanism used for iCloud and Dropbox as for Agile's server and WLAN server? Some of the forum answers given would suggest that what iCloud and Dropbox do is not well understood or controlled by 1PW.
It would be nice also to understand better at the individual login entry level how 1PW merges two different data sets.
1Password Version: 6.8.3
Extension Version: 4.6.11
OS Version: 10.12.6
Sync Type: iCloud currently