Skip to content
Close
Log in
Log in
Screenshot 2026-05-07 at 10.24.10 am
DekkoCORE
File Sharing & Collaboration
Learn more
Screenshot 2026-05-11 at 12.13.50 pm
DekkoDEMS
Digital Evidence Management
Learn more
Two products. One secure platform.
DekkoCORE and DekkoDEMS both feature:

  Web-based app with no installs

  End-to-end encrypted security

  No file size or type restrictions

  Easy account creation process

  Comprehensive sharing controls

Law Enforcement
Securely collect and share digital evidence across agencies with full chain-of-custody.
Learn more
law-enforcement
Defence Supply Chain
Protect classified designs and supplier data in a sovereign, fully encrypted workspace.
Learn more
defence
National Security
Enable secure inter-agency intelligence collaboration with controlled encrypted access.
Learn more
national-sec
Judiciary Departments
Exchange case files and evidence securely with clients and prosecutors without risk.
Learn more
legal
Professional Services
Collaborate on client documents and financial data securely on a trusted platform.
Learn more
prof-services
Healthcare
Share medical records and research securely across clinics and partners with compliance.
Learn more
health

Not in this list? DekkoSecure is used anywhere sensitive data needs to be shared and controlled.

Explore our capability
System Security
Explore the encryption, access controls, and platform protections that safeguard sensitive data across all DekkoSecure services.
Service Compliance
Learn how DekkoSecure aligns with security standards and regulatory requirements to support government and high-assurance workloads.
DekkoCORE guides
Find step-by-step guidance on using the DekkoCORE platform to securely share files, collaborate with partners, and manage critical workflows.
DekkoDEMS guides
Access practical instructions for managing digital evidence in DekkoDEMS while maintaining integrity and strict chain-of-custody controls.
DekkoSecure Glossary
Browse clear explanations of key security, compliance, and encryption terms used throughout the DekkoSecure platform and documentation.
DekkoSecure Blog
Explore practical insights on security, compliance and encrypted collaboration from the DekkoSecure team.
Get DekkoSecure
Connect with our team to discuss your requirements and learn how DekkoSecure can support secure collaboration across your organisation.
headway-5QgIuuBxKwM-unsplash
Request Support
Submit a support request to get assistance with your DekkoSecure tenancy, technical issues, user management, or configuration questions.
tim-van-der-kuip-CPs2X8JYmS8-unsplash
ChatGPT Image Nov 13, 2025, 12_48_26 PM

End-to-End Encrypted Collaboration Across Every Content Type

DekkoSecure applies end-to-end encryption to every piece of content that passes through the platform. Files, messages, eSignatures, and video meetings are all encrypted on the user's device before they are uploaded. Decryption only occurs on the device of an authorised recipient. At no point during transit or storage does any content exist in a readable form on DekkoSecure's servers, the underlying cloud infrastructure, or any intermediary system. This applies equally to DekkoCORE, the secure collaboration platform, and DekkoDEMS, the digital evidence management and sharing system.

Contact our security team
Learn About Zero-Knowledge Architecture
The Fundamentals

What End-to-End Encryption Means in Practice

When data is shared, it passes through several stages, and each stage has its own encryption story. Understanding where encryption applies, and crucially who holds the keys, is what separates genuine confidentiality from the appearance of it.

Most cloud platforms encrypt data in transit, meaning the data is protected as it moves from the sender to the server and onward to the recipient. They also encrypt data at rest, meaning the data is protected while sitting on the storage disk. These are baseline protections. They stop external attackers from intercepting shared content while it travels, and they stop anyone from reading raw disk contents if they gain access to the storage hardware. What they do not do is prevent the platform provider itself from accessing the data. The provider holds the encryption keys, which means the provider can decrypt, read, index, and process shared content at any point.

A third stage, encryption in use (sometimes called confidential computing), protects data while it is being actively worked on. This stage is easy to overlook, but it is where a great deal of exposure happens. The moment someone edits a document, watches a video, views an image, or otherwise interacts with shared content, that content typically has to be decrypted so it can be processed. If it is not encrypted in use, it sits in the clear on the server during exactly these moments, and the provider can see it. In other words, the act of working with the data is itself a point of exposure unless protection extends to that stage. Encryption in use remains rare in commercial platforms, and even where it exists, it does not resolve the underlying problem: so long as the provider manages the encryption keys, all three stages of protection sit under the provider's control rather than the control of the people sharing the data.

End-to-end encryption changes this by encrypting data across every stage of its journey under keys the provider never holds. Content is encrypted on the sender's device before it leaves. It stays encrypted in transit, and it stays encrypted at rest on the server. Decryption happens only on the recipient's device, after the encrypted content has been retrieved, which means the data is worked on only where it is already under the user's control rather than on the provider's servers. At no stage does the provider hold a decryption key, and at no stage does the provider have a technical means of reading the shared content. This is the practical difference between end-to-end encryption and server-side encryption: the protection follows the data through its entire lifecycle, rather than being applied and removed by the provider at each handoff.

End-to-end encryption alone, however, is not enough to guarantee that a provider cannot reach the data. The strength of the guarantee depends entirely on how the encryption keys are generated, stored, and managed. If a provider generates keys on behalf of its users, keeps private keys on its own infrastructure, or can reset keys without the user's consent, then it retains a technical pathway to the shared data no matter how the encryption is marketed. True end-to-end encryption requires transparent key management: keys must be generated on the user's own device, private keys must never leave the user's control, and the provider must have no mechanism, technical or administrative, to access or recover them. Independently auditable implementations and open cryptographic specifications are the benchmark against which these claims can be verified.

This distinction matters for any organization sharing sensitive, classified, or legally privileged information. If the provider can reach the data at any stage, that data is exposed to insider threats, to law enforcement demands directed at the provider, and to any breach of the provider's own systems. End-to-end encryption, implemented with verifiable key management, protects shared data at every stage of its journey and removes the provider from the threat model entirely.

For a deeper look at how end-to-end encryption eliminates the trade-off between security and collaboration, including real-world breach case studies, read our blog post End-to-End Encryption for Secure File Sharing.

Implementation

How DekkoSecure Implements End-to-End Encryption

DekkoSecure uses two cryptographic standards working together to protect all content on the platform.

AES-256

AES-256 symmetric encryption is used to encrypt the content itself. Every file, message, and meeting session is encrypted with a unique AES-256 key generated on the user's device. AES-256 is the same encryption standard used by governments and defense organizations worldwide to protect classified material. It is approved for use at the TOP SECRET level by the United States National Security Agency and recognized as an ISM-compliant algorithm by the Australian Signals Directorate.

ECC-384

ECC-384 asymmetric encryption is used to protect the key exchange. Each user has a unique ECC-384 key pair generated on their device. When a file or message is shared, the AES-256 content key is encrypted with the recipient's ECC-384 public key. Only the recipient's private key, which never leaves their device, can decrypt the content key. ECC-384 provides equivalent strength to RSA-7680 while using significantly shorter key lengths, which reduces computational overhead without compromising security.

SHA-384

SHA-384 hashing is used for digital signing operations, ensuring content integrity and non-repudiation across file transfers and eSignature workflows.

The result is a minimum of three distinct encryption layers protecting every piece of content at all times. No single point of failure can expose customer data.

Scope of Encryption

What Gets Encrypted on the DekkoSecure Platform

A critical differentiator in DekkoSecure's approach is the scope of encryption. Many platforms that claim end-to-end encryption apply it selectively, often only to file contents while leaving file names, metadata, message subjects, and other contextual information unprotected. DekkoSecure encrypts all of it.

Files

File contents and file names are encrypted before upload. There are no file size limits and no file type restrictions. A 50 MB PDF and a 50 GB video file receive identical encryption treatment.

Messages

Message subjects and message bodies are both encrypted. The size of messages is also obscured. DekkoSecure cannot read, index, or scan any message content.

eSignatures

Signature workflows, signed documents, and signing metadata are encrypted end-to-end. The platform cannot view or extract signature content.

Video conferencing

Meeting topics, media streams, and meeting notes are all encrypted. DekkoSecure cannot monitor, record, or access the content of any video conference.

Metadata protection

Unlike most platforms, DekkoSecure encrypts contextual metadata that would typically be exposed. File names, message subjects, and meeting topics are not visible to DekkoSecure or to any cloud infrastructure provider. This prevents metadata-based profiling and reduces the attack surface for intelligence-gathering techniques that exploit unencrypted metadata.

The Difference

Why DekkoSecure's Encryption Differs From Other Secure File Sharing Platforms

The enterprise file sharing and collaboration market includes many platforms that reference encryption in their marketing. The practical differences are significant.

Server-side encryption is not end-to-end encryption

Platforms like Microsoft SharePoint, Google Workspace, Dropbox Business, and Box encrypt data at rest on their servers and in transit between the user and the server. However, the provider holds the keys. The provider can in theory decrypt and access all customer content. This means customer data is potentially exposed to provider-side breaches, insider threats, and compelled disclosure through legal processes served on the provider. DekkoSecure's architecture eliminates this risk because the provider never holds a decryption key.

Selective encryption is not comprehensive encryption

Some platforms encrypt file contents but leave file names, message subjects, folder structures, or metadata unencrypted. This creates an information leakage vector even when the file body is protected. An adversary who can see that an agency uploaded a file named "Operation_Trident_Phase2_Brief.pdf" has gained actionable intelligence without ever decrypting the file itself. DekkoSecure encrypts file names, message subjects, meeting topics, and content metadata.

Bolt-on encryption is not encryption by design

Several enterprise platforms offer end-to-end encryption as an optional feature, an add-on module, or a premium tier. This means the default configuration leaves data accessible to the provider. Organizations that forget to enable the feature, misconfigure it, or use features that bypass it are exposed. DekkoSecure enforces encryption on all content by default. There is no unencrypted mode. There is no configuration required. Every file, message, signature, and meeting is encrypted automatically from the moment the platform is used.

Consumer-grade E2EE platforms lack enterprise controls

Tools like Tresorit and Proton Drive offer strong end-to-end encryption but are designed primarily for individual users or small teams. They lack the enterprise-grade controls required by government and regulated industries: IRAP PROTECTED assessment, CJIS alignment, sovereign hosting across multiple jurisdictions, role-based access within structured collaboration spaces (Hubs), and immutable audit logging for chain-of-custody and compliance verification. DekkoSecure combines zero-knowledge end-to-end encryption with the operational controls that government, defense, law enforcement, and justice-sector organizations require.

Zero-Knowledge

End-to-End Encryption Combined with Zero-Knowledge Architecture

DekkoSecure's end-to-end encryption operates within a zero-knowledge architecture. This means that DekkoSecure as the service provider has no technical ability to access, view, or process customer data in any form. The platform does not hold encryption keys, does not have backdoor access, and cannot decrypt content even if compelled by a court order directed at DekkoSecure itself.

This is not a policy decision. It is an architectural constraint. The system is designed so that the encryption keys required to decrypt content exist only on the devices of authorized users. DekkoSecure's servers store encrypted data that is computationally indistinguishable from random noise without the corresponding decryption keys.

For organizations operating in environments where insider threat, supply-chain compromise, or compelled disclosure represent real risks, this architecture provides a fundamentally different security posture than platforms where the provider retains access.

Learn more: Zero-Knowledge Security Model

Compliance

How End-to-End Encryption Supports Regulatory Compliance

DekkoSecure's encryption model directly supports the technical requirements of multiple regulatory and compliance frameworks.

IRAP PROTECTED (Australia)

The Australian Government Information Security Manual (ISM) mandates specific cryptographic controls for systems handling PROTECTED-level information. DekkoSecure's use of AES-256 and ECC-384 aligns with ISM cryptographic requirements, and the platform has been independently assessed at the PROTECTED level by an ASD-endorsed IRAP assessor.

Learn more about DekkoSecure's IRAP assessment

HIPAA (United States)

The HIPAA Security Rule requires covered entities to implement encryption to protect electronic protected health information (ePHI). DekkoSecure's end-to-end encryption satisfies the addressable encryption specification under the technical safeguards of the Security Rule.

Learn more about HIPAA compliance

CJIS Security Policy (United States)

The FBI Criminal Justice Information Services Security Policy requires FIPS 140-validated encryption for criminal justice information. DekkoSecure uses FIPS 140-validated cryptographic modules to meet this requirement.

GDPR (European Union)

Article 32 of the GDPR requires appropriate technical measures to protect personal data. Article 25 requires data protection by design and by default. DekkoSecure's zero-knowledge end-to-end encryption implements both requirements at the architectural level.

GO-ITS / ITSG-33 (Canada)

DekkoSecure meets Ontario GO-ITS 25.21 requirements and follows ITSG-33 security controls for Canadian public-sector environments.

Products

End-to-End Encryption Across DekkoCORE and DekkoDEMS

DekkoSecure operates two products on a shared security architecture. Both apply identical end-to-end encryption protections.

DekkoCORE

DekkoCORE is DekkoSecure's secure file sharing and collaboration platform. It provides secure Hubs for structured collaboration, secure messaging, eSignatures, and video conferencing. DekkoCORE is hosted in sovereign environments in Australia, the United States, Canada, and Switzerland.

DekkoDEMS

DekkoDEMS is DekkoSecure's digital evidence management system. It provides encrypted evidence ingestion, sharing across the justice ecosystem, chain-of-custody tracking, and prosecutor disclosure. DekkoDEMS is hosted exclusively in the United States to align with justice-sector requirements for evidence handling.

Both products encrypt all content on the user's device before upload. Both enforce zero-knowledge architecture. Both produce immutable audit trails. The encryption model is not a feature that varies between product tiers or deployment options. It is the foundation of every interaction on both platforms.

Contact DekkoSecure

To discuss how DekkoSecure supports your organisation's compliance with the Australian Privacy Principles, contact the team.
Contact DekkoSecure