Differences in encryption
By applying an encryption method, a plaintext is converted into a ciphertext (and vice versa). The decisive difference between the individual encryption methods is the point at which the data is encrypted and/or who holds the key for encryption.
Basis: HTTP/SSL encryption
HTTP/SSL encryption secures the transmission path between the end device and the server. During transmission over the Internet, the data remains encrypted. The data is transmitted along with the key to the respective service provider for storage. Therefore, before and after the transmission, the data is decrypted, i.e., stored on the server with plain text.
Note: Providers often claim this to be "End-to-end encryption".
Only HTTP/SSL encryption
Note: Depending on the type of data, all data protection requirements under the General Data Protection Regulation (GDPR) may be met by Stackfield (with its technical and organizational measures) even with HTTP/SSL encryption only (i.e., for our unencrypted rooms / Direct Messages).
Additional: End-to-end encryption
In addition to the HTTPS/SSL encryption, Stackfield allows you to activate end-to-end encryption on top, which is a unique combination of symmetric (AES) and asymmetric (RSA) encryption methods.
During the upload, the data will be encrypted directly in the browser (i.e. a password is generated automatically) and then transmitted using HTTP/SSL encryption. With client-side encryption, the key that encodes the data never leaves the user's possession. This means that no one can decrypt the information between the two end devices. Only when downloading the data in the browser of the authorized recipient it will be decrypted, i.e. displayed as plain text.
HTTP/SSL + End-to-end encryption
The kind of data that is being end-to-end encrypted
Advantages and disadvantages of end-to-end encryption
No unauthorized third party has access to the information, neither the state / a court (regarding the issue: Cloud Act) nor Stackfield as platform operator or our subcontractors. If an outsider were to obtain the data, it would merely be a chain of numbers and letters from which no information could be obtained. Only authorized people (i.e. members of a room with the appropriate rights) can access the information.
Due to early encryption, there may be some limitations in the daily work with encrypted rooms / direct messages:
Good password management is essential, as no one can gain access to lost rooms / direct messages without the right passwords. To prevent this, every user should know their own password for logging in. If two-factor authentication is enabled, the second factor must also be accessible at all times. The automatically generated passwords of the encrypted rooms / direct messages do not have to be remembered when logged in to access the data. However, the responsible room admin(s) should keep the password somewhere accessible.
No encrypted data is sent anywhere "outside", e.g. to external services as calendar subscription and notifications via email or the lock screen of the phone. Email notifications only reveal general information about the existence of the item / activity along with a note about the extra encryption and a link (i.e. a redirect to the relevant location within Stackfield).
Example: Email notification coming from an encrypted room
The transfer of data through integrations / WebHooks (blog article: Automate your processes with Stackfield) can only be used in unencrypted rooms as the API does not have the respective key to encrypt/decrypt them. Note: Integrations where only a link is transferred (e.g. to files in Dropbox, OneDrive, Google Drive, and Box) and Giphy are generally supported.
The global search may be a bit slower, as it is not performed in one go but blocks due to the end-to-end encryption. The speed depends on the local device and the amount of data.
Tip: Use an unencrypted room for non-sensitive data to be shared e.g. through calendar subscriptions / emails / integrations and WebHooks. By using # mentions or links, you can create references to the location of sensitive data within encrypted rooms.
When does end-to-end encryption make sense?
Goal: Compliance with the General Data Protection Regulation (GDPR), professional obligations (e.g. § 203 – German penal code) and compliance guidelines.
Therefore, use encrypted rooms / direct messages with the additional end-to-end encryption for highly sensitive data (e.g., personal data and company internals).
Note: Further information on the subject of personal data and its processing can be found in particular in the Articles 4, 5, and 9 of the GDPR. Companies outside the EU are also bound by the GDPR as soon as personal data of EU citizens is processed.
How do I activate end-to-end encryption?
Precautions taken by admins of the organization
Admins of the organization can take precautions for encryption within the Organization Settings. Here, the following functions can be defined:
- Do you want to encrypt Direct Messages chats? (Choices: "Always unencrypted" / "Always encrypted")
- Do you want to encrypt all rooms? (Choices: "Always unencrypted" / "Always encrypted" / "Creator can choose"*)
- *Who is allowed to create unencrypted rooms? (Triggered by the previous option "Creator can choose") (Choices: "Admin" / "Admins & Members")
Encryption
Note: All settings regarding the encryption are valid from the moment the settings are defined. This means that the encryption of already existing direct messages or rooms remains the same as it was before.
The creator can choose when creating a room
If users themselves can decide whether to use additional end-to-end encryption when creating a room, a lock icon is displayed in the input field of the "Room name". Simply click on it to activate the extra encryption. Note: The encryption of a room cannot be changed later.
Select encryption yourself when creating a room
Further information
Security standards
For further information on our security standards please visit:
https://www.stackfield.com/de/security.
Cloud Act
US IT companies and IT service providers are legally obliged by the CLOUD Act to reveal data to US authorities, even if storage and processing do not take place in the USA. This includes all data (i.e., personal and corporate data) in their possession (i.e., under their custody or control). It may even be prohibited by law to inform the data subjects about the release.
Password management
If your password for logging in to your account is reset, it must be "linked" to the keys of the rooms again to be able to access all encrypted data again. The transfer of the keys can either be performed by other members of the room through so-called "activation" or by manually entering the room passwords. However, it can become critical with rooms in which you are the only member. Therefore, a room admin should at least write the individual passwords down. You can find the password of an encrypted room within the tab General in the Room Settings. There, it is always displayed in encrypted form - protected from unauthorized access - until you click on the "Show" button.
"Show" room password and save it somewhere accessible
How can I tell that a room is encrypted end-to-end?
Encrypted rooms are marked with a lock icon next to their room name and have an automatically generated password within the tab General in the Room Settings.