In simplistic terms, we developed a proprietary “wrapper” system using patented multi-key encryption technology. Our .SAFE (“dot-safe”) technology uses multiple encryption tiers:
- Protects and encrypts data content, either individual files or groups of files.
- Creates and applies policy and rulesets embedded into the “wrapper” of the data with more encryption – encompassing both the data and its encryption keys.
- Encrypts the policy sets, making the data accessible only under the right conditions of geo-location, identity of recipients, specified devices or services or platforms, time/day access embargos, digital rights management….and any additional policies the owner applies.
We embed and wrap the data in multiple independent encryption layers and maintain the security and access modeling on multiple layers. No single layer can be compromised without triggering protection mechanisms in the surrounding layers. No single key can access the data unless all parameters are satisfied. If the owner chooses to change access permissions or revoke access completely
from the recipient(s) at any time or wherever the data is stored, the owner simply revokes access using their originator key, making the wrapper inaccessible and locked, or even instructing a self-delete if desired.
Our architecture is designed around an API-powered solution for working with intelligent data. The APIs are designed to be easily incorporated into any software, firmware or platform, so any system can create and interoperate with intelligent data.
Our wrapper technology is based on our patented multi-key system which is designed so that no single key can allow access to the data. The layered key access model provides a systematic approach for data to evaluate its safety and situation:
- The data is now capable of geo-sensing and geo-fencing. This means that if the data is outside its approved location policies it will not allow any further interaction and delete itself. If effect, this makes data exfiltration practically and functionally obsolete.
- Using industry-standard encryption controls, if the data assesses and approves its location granted by its owner, it will then proceed to confirm whether or not the recipient’s rights have been revoked or changed.
- Using these same encryption controls, if the recipient is still allowed access, the data will unlock its policy models, and systematically process all of its rulesets to determine what it should do given its current situational status.
- Finally, only when all other checkpoints are passed, will it then use another content key to allow access to the data.
Our service allows for policy checking, logging and event forensics, and data revocation controls. This service is designed and implemented in AWS Lambda API and other constructs which allow .SAFE-enabled data to check its controls and permissions from anywhere. Also, by using this model, the service is “serverless” and provides no opportunity for the service to be attacked by an external party.
If the data happens to be without connectivity, the default policy setting for the data is to “default safe and closed.” That policy can be modified by its owner to allow for “allowance time windows” or “conditional allowance.” For example, the owner can state “if the data checked itself in the last three hours, open,” or “if the data has no Internet connectivity, allow it to open on my own laptop, but not on my phone, and only at my home or office locations.”