Security & Privacy

Security and privacy is baked into the architecture of Slapdash. Here are the things we do to make sure we are good stewarts of any data we are in contact with.

Minimal Permissions

When you connect an app to Slapdash, we always try to request the minimal set of permissions possible to power functionality.

Encryption

If we do store data from a connected application, it's stored encrypted on disk, in-transit and in the data store

In the data store, content and keys are stored using ECIES (with Secp256k1 curve and AES256 cipher in CTR mode), public-key-encrypted with individual per-user, per-app key pairs. Keys are stored in a separate, secure cluster.

One thing that is not encrypted is the reverse index, but we do take care to remove position from the index and limit employee access to the search infrastructure.

We Can't See It

Slapdash employees can't accidently or even deliberately see the contents of any person's data. This is enforced technologically and with company policy.

We explictly don't have any tools to log in as a person or to query for a person's data. Data is only decrypted at request-time for the logged-in user by our servers.

While we are not zero-access yet, we are building in that direction.

Data Isolation

Customer data is physically and logically separated, even when using Slapdash for Teams.