How are my communications secured?
Every message and document passed through Dekko is secured with multiple layers of encryption and can only be read by the sender and the receiver, no one else. No information on the server or in transit can be used to decrypt and read the data. Even the creators of Dekko and administrators of a system using Dekko Secure cannot see users’ data, since the user’s password is itself encrypted.
- There are no ‘back doors’ or master encryption keys; these only introduce vulnerabilities.
- A minimum of 3 layers of encryption (AES-256, ECC-384, SSL-4096) are used at all times, on all secured objects.
- Every document has its own key. One compromised document does not compromise a whole account’s data.
- Similarly, one compromised account does not compromise the whole system.
To learn more, see our security page.
What infrastructure do you store user data on, and where?
Dekko uses Microsoft Azure to run Dekko and store user data. Accounts created on dekko.io are stored in Europe, and accounts created on au.dekko.io are stored in Australia. The infrastructure supporting each instance are entirely separate.
Is your application safe? Has it been independently verified?
Do you support 2FA?
Yes! For regular Dekko accounts, 2FA is performed using our mobile app. To enable 2FA, see our documentation page on the topic here.
Active Directory accounts can also utilise MFA during the log in procedure based on the parent organisation’s security policies. AD can also specifically target Dekko for MFA, as well as other Conditional Access controls.
What is left on my device after logging out?
Locally, Dekko only stores what you are working on or what is cached during your session unencrypted. After you log out, your private key no longer exists and any data left on your device is useless. The tenancy tool can also be used set session expiry times.
What about my communications are secured? What information does Dekko log?
Dekko does not encrypt everything. Developed primarily as a business solution, Dekko is a privacy tool; it is not an anonymity tool. Without any action required other than pressing ‘send’, Dekko secures:
- File names
- File contents
- Message subject
- Message contents
- Message size
All site communications are secured using TLS 1.2 and HSTS.
To learn more about auditing, see our controls and compliance page.
How are accounts secured?
Accounts are secured by your password, which Dekko does not (and can not) know. Your public and private keys are generated during registration, and your private key is encrypted using your password before it is sent to our servers. Passwords are hashed and salted before they are sent to our servers.
To learn more see our security page.
How do you authenticate users at sign up?
By default, all accounts must perform an email verification before they are able to log in for the first time. The tenancy tool can be used to enforce all invitees in tenancy DekkoCIRCLEs to also perform an SMS verification.
How do you delete data?
When data and accounts are deleted, two things happen. First, the keys for all data subject to deletion are deleted. Following that, this encrypted data is overwritten with garbage data.