Differences in encryption
With an encryption method, a plaintext is converted into a ciphertext (and vice versa). The decisive difference between the individual encryption methods is the point at which the data is encrypted and/or who has the key for encryption.
Basic: HTTP/SSL encryption
HTTP/SSL encryption secures the transmission path between the end device and server. During transmission over the Internet, the data is encrypted. The data is transferred together with the key to the respective service provider for storage. Before and after this, the data is stored on the server decrypted, i.e. with plain text.
Note: Providers often claim this to be end-to-end encryption even though the data.
Only HTTP/SSL encryption
Note: Depending on the type of data Stackfield (with its technical and organizational measures) can also meet all data protection requirements in accordance with the German Data Protection Ordinance (DSGVO) even with pure HTTP/SSL encryption (i.e. with our unencrypted rooms / direct messages).
Additional: End-to-end encryption
In addition to the HTTPS/SSL encryption, Stackfield can also activate end-to-end encryption on top, which consists of a unique combination of symmetric (AES) and asymmetric (RSA) encryption methods.
The data will be encrypted directly in the browser during upload (i.e. a password is automatically generated) and then transferred using HTTP/SSL encryption. With client-side encryption, the key that encodes the data never leaves the user's possession. This means that nobody can decrypt the information while it is being transmitted between the two end devices. The data will only be decrypted, i.e. displayed as plain text, when downloaded in the browser of the authorized recipient.
HTTP/SSL + End-to-end encryption
The kind of data that is being end-to-end encrypted
Advantages and disadvantages of end-to-end encryption
No unauthorized third party has access to the information, neither the state / a court (regarding the issue: Cloud Act), nor Stackfield as platform operator or our subcontractors. If a third party should attempt to gain access to the data, this would be a chain of numbers and letters from which no information can be obtained. Only authorized people (i.e. members of a room with appropriate rights) can access the information.
Due to early encryption, there may be some limitations in the daily work with encrypted rooms / direct messages:
A good password Management is essential: If access to rooms / direct messages has been lost, no one can gain access to them anymore. To prevent this, every user should know his own password for logging in. If two-factor authentication is activated, the second factor must also be accessible. It is not necessary to remember the automatically generated passwords of the encrypted rooms / direct messages to access the data when logged in. However, the responsible room administrator should keep the password at hand somewhere.
No encrypted data is sent anywhere "outside", e.g. to external services via calendar subscription and notifications via email or the lock screen of the phone. In the case of an email notification, only general information about the existence of the item/activity is provided, with a reference to the extra encryption and a link to the item/activity (i.e. a forwarding to the relevant location in Stackfield).
Example: Email notification coming from an encrypted room
The transfer of data using the integrations / WebHooks (blog article: Automate your processes with Stackfield) can only be used in unencrypted rooms, because the API does not have the respective key to encrypt/decrypt. Note: Integrations where only a link is transferred (e.g. to files in Dropbox, OneDrive, Google Drive and Box) and Giphy are generally supported.
The performance of the global search may be a little slower, due to the end-to-end encryption. The speed depends on the local device and the amount of data.
Tip: Use an unencrypted room for non-sensitive data that is to be shared, for example, by calendar subscriptions / emails / integrations and WebHooks. You can use #-reference or a link to create a reference to the encrypted location where the sensitive data is stored.
When does it make sense to use end-to-end encryption?
Goal: Compliance with the General Data Protection Regulation (GDPR), professional obligations (e.g. § 203 – German penal code) and compliance guidelines.
For this reason, you should use encrypted rooms / direct messages with the additional end-to-end encryption for highly sensitive data (e.g. personal data and company internal information).
Note: Further information on the subject of personal data and its processing can be found in particular in the Articles 4, 5, and 9 of the GDPR. Companies outside the EU are also bound by the GDPR as soon as personal data of EU citizens is processed.
How do I activate end-to-end encryption?
Arrangements by the organization's admin
An admin of the organization can take precautions for encryption in the Organization Settings (e.g. whether a room is always created encrypted / unencrypted or whether the creator of the room can decide this himself).
Encryption
Decide for yourself when creating a room
If the users can decide on the additional end-to-end encryption themselves when creating a room, you will see a "padlock" symbol in the input field of the Room name. By clicking on it, you can activate the extra encryption. Note: The encryption of a room cannot be changed afterwards.
Select encryption yourself when creating a room
Further information
Security standards
For further information on our security standards please visit:
https://www.stackfield.com/de/security.
Cloud Act
US IT companies and IT service providers are legally obliged by the CLOUD Act to reveal data to US authorities, even if the data is not stored and processed in the USA. This includes all data (i.e. personal and company data) in their possession (i.e. under their care or control). It may even be prohibited by law to inform the data subjects about the release.
Password management
If you reset your own password to login into your account, it must be "linked" again to the keys of the rooms to be able to access all encrypted data again. The transmission of the keys can either be done by other members of the room through a so-called activation or by manually entering the room passwords. However, it can become critical with rooms in which you are the only member, so the individual passwords should at least be written down by a room admin. You can find the password in the Room Settings under the tab General. The password is always shown encrypted until you click on the "Show" button - hidden from view.
"Show" room password and save it somewhere accessible
How can I tell that a room is encrypted end-to-end?
In the encrypted room, there is a "padlock" symbol to the right of the room name and an automatically generated password in the Room Settings under the tab General.