Unsere Website gibt es auch auf Deutsch - würden Sie gerne zu dieser Version wechseln?Zu Deutsch wechseln
MADE & HOSTED
IN GERMANY

In which cases do I activate additional end-to-end encryption?

Differences in encryption

By applying an encryption method, a plaintext is converted into a ciphertext (and vice versa). The decisive difference between the individual encryption methods is the point at which the data is encrypted and/or who holds the key for encryption.

Basis: HTTP/SSL encryption

HTTP/SSL encryption secures the transmission path between the end device and the server. During transmission over the Internet, the data remains encrypted. The data is transmitted along with the key to the respective service provider for storage. Therefore, before and after the transmission, the data is decrypted, i.e., stored on the server with plain text.

Note: Providers often claim this to be "End-to-end encryption".

Only HTTP/SSL encryption
Only HTTP/SSL encryption
Note: Depending on the type of data, all data protection requirements under the General Data Protection Regulation (GDPR) may be met by Stackfield (with its technical and organizational measures) even with HTTP/SSL encryption only (i.e., for our unencrypted rooms / Direct Messages).

Additional: End-to-end encryption

In addition to the HTTPS/SSL encryption, Stackfield allows you to activate end-to-end encryption on top, which is a unique combination of symmetric (AES) and asymmetric (RSA) encryption methods.

During the upload, the data will be encrypted directly in the browser (i.e. a password is generated automatically) and then transmitted using HTTP/SSL encryption. With client-side encryption, the key that encodes the data never leaves the user's possession. This means that no one can decrypt the information between the two end devices. Only when downloading the data in the browser of the authorized recipient it will be decrypted, i.e. displayed as plain text.

HTTP/SSL + End-to-end encryption
HTTP/SSL + End-to-end encryption
The kind of data that is being end-to-end encrypted
The kind of data that is being end-to-end encrypted

Advantages and disadvantages of end-to-end encryption

No unauthorized third party has access to the information, neither the state / a court (regarding the issue: Cloud Act) nor Stackfield as platform operator or our subcontractors. If an outsider were to obtain the data, it would merely be a chain of numbers and letters from which no information could be obtained. Only authorized people (i.e. members of a room with the appropriate rights) can access the information.

Due to early encryption, there may be some limitations in the daily work with encrypted rooms / direct messages:

Good password management is essential, as no one can gain access to lost rooms / direct messages without the right passwords. To prevent this, every user should know their own password for logging in. If two-factor authentication is enabled, the second factor must also be accessible at all times. The automatically generated passwords of the encrypted rooms / direct messages do not have to be remembered when logged in to access the data. However, the responsible room admin(s) should keep the password somewhere accessible.

No encrypted data is sent anywhere "outside", e.g. to external services as calendar subscription and notifications via email or the lock screen of the phone. Email notifications only reveal general information about the existence of the item / activity along with a note about the extra encryption and a link (i.e. a redirect to the relevant location within Stackfield).

Example: Email notification coming from an encrypted room
Example: Email notification coming from an encrypted room

The transfer of data through integrations / WebHooks (blog article: Automate your processes with Stackfield) can only be used in unencrypted rooms as the API does not have the respective key to encrypt/decrypt them. Note: Integrations where only a link is transferred (e.g. to files in Dropbox, OneDrive, Google Drive, and Box) and Giphy are generally supported.

The global search may be a bit slower, as it is not performed in one go but blocks due to the end-to-end encryption. The speed depends on the local device and the amount of data.

Tip: Use an unencrypted room for non-sensitive data to be shared e.g. through calendar subscriptions / emails / integrations and WebHooks. By using # mentions or links, you can create references to the location of sensitive data within encrypted rooms.

When does end-to-end encryption make sense?

Goal: Compliance with the General Data Protection Regulation (GDPR), professional obligations (e.g. § 203 – German penal code) and compliance guidelines.

Therefore, use encrypted rooms / direct messages with the additional end-to-end encryption for highly sensitive data (e.g., personal data and company internals).

Note: Further information on the subject of personal data and its processing can be found in particular in the Articles 4, 5, and 9 of the GDPR. Companies outside the EU are also bound by the GDPR as soon as personal data of EU citizens is processed.

How do I activate end-to-end encryption?

Precautions taken by admins of the organization

Admins of the organization can take precautions for encryption within the Organization Settings. Here, the following functions can be defined:

  • Do you want to encrypt Direct Messages chats? (Choices: "Always unencrypted" / "Always encrypted")
  • Do you want to encrypt all rooms? (Choices: "Always unencrypted" / "Always encrypted" / "Creator can choose"*)
  • *Who is allowed to create unencrypted rooms? (Triggered by the previous option "Creator can choose") (Choices: "Admin" / "Admins & Members")
Organization Settings / Permissions
Encryption

Note: All settings regarding the encryption are valid from the moment the settings are defined. This means that the encryption of already existing direct messages or rooms remains the same as it was before.

The creator can choose when creating a room

If users themselves can decide whether to use additional end-to-end encryption when creating a room, a lock icon is displayed in the input field of the "Room name". Simply click on it to activate the extra encryption. Note: The encryption of a room cannot be changed later.

Select encryption yourself when creating a room
Select encryption yourself when creating a room

Further information

Security standards

For further information on our security standards please visit: https://www.stackfield.com/de/security.

Cloud Act

US IT companies and IT service providers are legally obliged by the CLOUD Act to reveal data to US authorities, even if storage and processing do not take place in the USA. This includes all data (i.e., personal and corporate data) in their possession (i.e., under their custody or control). It may even be prohibited by law to inform the data subjects about the release.

Password management

If your password for logging in to your account is reset, it must be "linked" to the keys of the rooms again to be able to access all encrypted data again. The transfer of the keys can either be performed by other members of the room through so-called "activation" or by manually entering the room passwords. However, it can become critical with rooms in which you are the only member. Therefore, a room admin should at least write the individual passwords down. You can find the password of an encrypted room within the tab General in the Room Settings. There, it is always displayed in encrypted form - protected from unauthorized access - until you click on the "Show" button.

"Show" room password and save it somewhere accessible

How can I tell that a room is encrypted end-to-end?

Encrypted rooms are marked with a lock icon next to their room name and have an automatically generated password within the tab General in the Room Settings.

Was this article helpful?
Cookies & Privacy Settings
We only use our own cookies and technologies in order to offer you the best possible experience on our website. You can find further information via the data protection settings and adjust or revoke your consent or object to processing at any time.
Custom Settings
Accept all
Reject