Security Policy
At Fileble, the security of your data is our top priority. This Security Policy outlines the measures we take to protect your information and the steps you can take to help us maintain the security of our services.
1. Data Encryption
We use industry-standard encryption protocols to protect data in transit and at rest. All data transferred between your device and our servers is encrypted using Secure Socket Layer (SSL) technology. Additionally, we encrypt stored data to prevent unauthorized access.
2. Access Control
Access to your data is restricted to authorized personnel who require it to perform their job functions. We implement strict authentication and authorization mechanisms to prevent unauthorized access. User passwords are hashed and salted using secure algorithms.
3. Network Security
Our servers are protected by advanced firewalls and intrusion detection systems. We regularly monitor our network for suspicious activities and vulnerabilities. Security patches and updates are applied promptly to mitigate risks.
4. Regular Audits and Assessments
We conduct regular security audits and assessments to identify and address potential vulnerabilities. Our security team stays up-to-date with the latest threats and employs best practices to enhance our security posture.
5. Data Backups
We perform regular backups of your data to prevent loss in case of system failures or disasters. Backups are encrypted and stored securely in geographically diverse locations to ensure availability.
6. Incident Response
In the event of a security incident, we have a comprehensive incident response plan to quickly address and resolve the issue. We will notify affected users as required by applicable laws and work to mitigate any potential harm.
7. User Responsibilities
You play a crucial role in keeping your data secure. We recommend that you use a strong, unique password for your account and change it regularly. Do not share your password with others, and be cautious of phishing attempts. Always verify that you are accessing our official website.
8. Reporting Security Issues
If you discover any security vulnerabilities or have concerns about the security of your account, please contact us immediately at security@fileble.com. We appreciate your assistance in maintaining the safety and integrity of our platform.
9. Compliance with Standards
We comply with industry standards and regulations to protect your data. Our security practices are aligned with frameworks such as ISO 27001 and GDPR requirements where applicable.
10. Changes to This Policy
We may update this Security Policy from time to time to reflect changes in our practices or applicable laws. We encourage you to review this policy periodically to stay informed about how we are protecting your information.
Last Updated: [Insert Date]
A. User Key Generation
1. User Password
When a user signs up or logs in, the system checks if the user's key exists in IndexedDB. If not, it verifies whether the user has a public key stored in the database. If the user lacks both keys, it indicates a first-time user. In such cases, the user is prompted to set a password that is irreversible, as it will be used to generate both keys. It's important to note that if the user forgets this password, they will lose access to their uploaded files and will need to generate a new key pair.
2. Derive User's Key Pair
The user's password is utilized to derive a symmetric key using a robust Key Derivation Function (KDF) such as PBKDF2, scrypt, or Argon2. This symmetric key is then used to encrypt and securely store the user's private key.
3. Generate User's Key Pair
An asymmetric key pair (public and private keys) is generated for the user. The private key is encrypted using the symmetric key derived from the user's password and stored locally (e.g., in IndexedDB). The public key is uploaded and stored securely on the server (e.g., in the users table).
B. Company Key Generation
1. Generate Company Key Pair
Upon company creation, an asymmetric key pair is generated on the client side. This key pair is essential for encrypting and managing company-related data securely.
2. Encrypt Company Private Key for the Creator
The company's private key is encrypted using the creator's (owner's) public key. This ensures that only the creator can decrypt and access the company's private key. The encrypted company private key is then stored on the server, associated with the respective company, but remains secure and inaccessible without the creator's private key.
3. Store Company Public Key
The company's public key is stored on the server (e.g., in the companies table). This key is used for encrypting data and sharing the company's private key with authorized users.
C. Sharing Company Private Key with Users
Existing Users
For each authorized user within the company, the company's private key is encrypted using the user's public key. The encrypted company private key is then stored in a dedicated table (e.g., `company_private_key`) on the server, ensuring that only authorized users can retrieve and decrypt it using their own private keys.
D. Data Encryption and Decryption
1. Encrypting Data
When uploading data to the server, the data is encrypted on the client side using a robust symmetric key (e.g., AES-256). This symmetric key is then encrypted with the company's public key to ensure secure storage and transmission. Both the encrypted data and the encrypted symmetric key are stored on the server, maintaining the confidentiality and integrity of your information.
2. Decrypting Data
When a user wishes to access the data, the encrypted data and the corresponding encrypted symmetric key are retrieved from the server. The user first decrypts the company's private key using their own private key. With the decrypted company private key, the symmetric key is then decrypted. Finally, the decrypted symmetric key is used to decrypt the actual data, allowing the user to access the original content securely.
E. Secure Storage on the Client Side
User Private Key
The user's private key is stored encrypted with a symmetric key derived from the user's password. This encrypted private key is securely stored in the user's IndexedDB or local storage on their device. By encrypting the private key, we ensure that even if unauthorized access occurs, the key remains protected.
Company Private Key
The company's private key is encrypted with the user's public key and stored securely on the server. This ensures that only authorized users can decrypt and access the company's private key when needed, maintaining strict control over sensitive company data.