System Security
Explore the encryption, access controls, and platform protections that safeguard sensitive data across all DekkoSecure services.
Zero-Knowledge Encryption That Blocks Vendor Access
DekkoSecure operates a zero-knowledge security model across both DekkoCORE and DekkoDEMS. This means that DekkoSecure as the platform provider has no technical ability to access, read, decrypt, or process any customer data. This is not a privacy policy or a contractual commitment. It is an architectural constraint enforced by cryptography. The system is designed so that the keys required to decrypt customer content exist only on the devices of authorised users. DekkoSecure's servers store encrypted data that is computationally indistinguishable from random noise without the corresponding decryption keys.
Definition
What is a Zero-Knowledge Cloud Platform?
The term "zero-knowledge" describes a system where the service provider has zero knowledge of the customer's data. In a zero-knowledge cloud storage and collaboration platform, the provider operates the infrastructure, manages availability, and delivers the application, but at no point does it have the ability to see what customers are storing, sharing, or communicating.
In a standard cloud platform, the provider encrypts data at rest and in transit, but the provider holds the encryption keys. This means the provider can decrypt and access customer data at any time. The encryption protects against external attackers, but it does not protect against the provider itself. The provider's employees can access the data. The provider's automated systems can scan, index, and process the data. If the provider's systems are breached, the attacker gains access to both the encrypted data and the keys needed to decrypt it.
A zero-knowledge architecture changes this fundamentally. The encryption keys are generated on the user's device and never leave the user's control. The provider receives only encrypted content. It has no key, no backdoor, and no mechanism to reverse the encryption. Even if the provider's servers are fully compromised, the attacker obtains only ciphertext that cannot be decrypted without keys that exist solely on user devices.
This is the distinction between trusting a provider's promise not to access your data and using a system where the provider is technically unable to access your data. Zero-knowledge eliminates the need for trust by replacing it with mathematical proof.
Architecture
How DekkoSecure's Zero-Knowledge Architecture Works?
DekkoSecure's zero-knowledge model is enforced through client-side cryptography. Every encryption and decryption operation occurs in the user's browser before any data reaches DekkoSecure's servers, delivering browser-based end-to-end encryption.
01
Key generation
Key generation happens on the user's device. When a user creates a DekkoSecure account, an ECC-384 key pair (a public key and a private key) is generated locally in the user's browser. The private key is encrypted using a key derived from the user's password and stored in encrypted form. DekkoSecure never sees the private key in plaintext.
02
Content encryption
Content encryption happens on the user's device. When a user uploads a file, sends a message, initiates a video meeting, or signs a document, the content is encrypted with a unique AES-256 key generated locally. This content key is then encrypted with the recipient's ECC-384 public key. Both the encrypted content and the encrypted content key are uploaded to DekkoSecure's servers. The plaintext content never leaves the user's device.
03
Decryption
Decryption happens on the recipient's device. When a recipient accesses shared content, their browser downloads the encrypted data and the encrypted content key. The recipient's private key decrypts the content key, and the content key then decrypts the content itself. This entire process runs in the browser. DekkoSecure's servers are involved only as encrypted storage and transport.
04
Encryption at rest
Once encrypted content reaches DekkoSecure's servers, it remains encrypted in storage. The data at rest is protected by both the client-side AES-256 content encryption and the infrastructure-level encryption provided by the underlying hosting environment. Because DekkoSecure does not hold the content decryption keys, the data at rest is protected against both infrastructure-level breaches and provider-side access. Even if an attacker gains direct access to the storage layer, the data remains unreadable without the user-held keys.
05
Encryption at work
When users actively collaborate on the DekkoSecure platform, data remains encrypted on the server throughout the entire workflow. Previewing files, reading messages, joining video meetings, and signing documents all involve the same process: encrypted content is downloaded to the user's browser, decrypted locally, and rendered on screen. Any changes or new content are re-encrypted in the browser before being sent back to the server. At no point during active use does plaintext content exist on DekkoSecure's infrastructure. This means the zero-knowledge guarantee holds not only while data is stored, but also while it is being actively used across collaboration, evidence management, and disclosure workflows.
DekkoSecure's servers never hold decryption keys. At no point in this process does DekkoSecure's infrastructure possess or transmit a plaintext private key, a plaintext content key, or any unencrypted customer data. The platform's role is limited to storing and delivering encrypted blobs that it cannot interpret.
Threat Model
What does the Zero-Knowledge Model Protect Against?
The value of zero-knowledge architecture becomes clear when you consider the specific threats it eliminates.
Provider-side data breaches
If an attacker compromises DekkoSecure's servers, they obtain encrypted data and encrypted keys. Without the user's private key (which is not stored on DekkoSecure's servers in any decryptable form), the encrypted data cannot be read. The breach yields nothing usable. Contrast this with a standard cloud platform breach, where the attacker gains access to both encrypted data and the provider-held keys needed to decrypt it.
Insider threats at the provider
In a conventional cloud platform, privileged employees (system administrators, database operators, support engineers) can technically access customer data. Zero-knowledge removes this risk entirely. DekkoSecure employees cannot access customer content because the platform does not possess decryption keys. This is not enforced by access controls or policy. It is enforced by the absence of the required cryptographic material.
Compelled disclosure
Governments and law enforcement agencies can serve legal orders on cloud providers demanding access to customer data. In a standard model, the provider can comply because it holds the keys. In DekkoSecure's zero-knowledge model, the provider cannot comply in any meaningful way. DekkoSecure can produce encrypted data in response to a legal order, but it cannot decrypt that data. The decryption keys exist only on the customer's devices. This is a critical consideration for organizations handling legally privileged, classified, or diplomatically sensitive information.
Supply-chain compromise
If an attacker compromises the underlying cloud infrastructure, they encounter only encrypted data with no corresponding keys. The zero-knowledge model extends the protection boundary beyond DekkoSecure's own systems to include the infrastructure providers that host them.
Metadata-based intelligence gathering
DekkoSecure extends its zero-knowledge model to metadata that most platforms leave exposed. File names, message subjects, and meeting topics are all encrypted. An adversary with server access cannot determine what files an organization is sharing, what subjects they are discussing, or what meetings they are conducting, even without decrypting the content itself.
Comparison
How does Zero-Knowledge Differ From Standard Cloud Encryption?
The following comparison illustrates the practical difference between DekkoSecure's zero-knowledge model and the encryption used by standard enterprise cloud platforms.
| Capability | Standard cloud encryption | DekkoSecure zero-knowledge |
|---|---|---|
| Data encrypted in transit | ✓Yes | ✓Yes |
| Data encrypted at rest | ✓Yes | ✓Yes |
| Provider holds decryption keys | ✕Yes | ✓No |
| Provider can access customer data | ✕Yes | ✓No |
| Provider can comply with data disclosure orders | ✕Yes, produces plaintext | ✓Can only produce ciphertext |
| Provider employees can view customer content | ✕Technically possible | ✓Technically impossible |
| Server breach exposes customer data | ✕Yes, if keys are also compromised | ✓No, keys exist only on user devices |
| Metadata (file names, subjects) protected from provider | ✕Rarely | ✓Yes |
| Encryption requires user configuration | ✕Often optional or partial | ✓Automatic on all content |
Platforms such as Microsoft SharePoint, Google Workspace, Dropbox Business, and Box use server-side encryption where the provider retains the keys. They protect data from external network attackers, but they do not protect data from the provider itself or from anyone who compromises the provider's key management systems.
Some of these platforms offer optional client-side encryption features (such as Google Workspace Client-Side Encryption or Microsoft Purview Double Key Encryption), but these are add-on configurations that must be explicitly enabled, often carry feature restrictions, and do not apply to all content types by default. DekkoSecure's zero-knowledge model applies to all content, all the time, with no configuration required.
Clarification
Why Zero-Knowledge and Zero Trust Are Complementary and Not Interchangeable?
These two terms are frequently confused. You may see this framed as zero-knowledge vs zero-trust, but they address different problems and operate at different layers of the security architecture.
Access Control Framework
Zero Trust
Zero Trust is an access control framework. It operates on the principle that no user, device, or network segment should be trusted by default. Every access request must be authenticated, authorized, and continuously validated. Zero Trust governs who can access what, when, and under what conditions. It is defined in frameworks like NIST SP 800-207 and is increasingly mandated across government IT environments.
Data Protection Model
Zero-Knowledge
Zero-knowledge is a data protection model. It ensures that even authorized infrastructure operators (the platform provider, the cloud host, the database administrator) cannot read the data they are handling. Zero-knowledge governs what the system itself can see, regardless of who is accessing it.
DekkoSecure implements both. The platform enforces Zero Trust principles through continuous authentication, SSO integration, granular Hub-based permissions, and role-based access controls. Simultaneously, it enforces zero-knowledge through client-side encryption that prevents DekkoSecure itself from accessing the data that those access controls protect.
This combination is significant because Zero Trust alone does not protect against a compromised provider. If the platform provider can decrypt the data, then an attacker who compromises the provider's administrative access bypasses every Zero Trust control in place. Zero-knowledge closes this gap by ensuring that even full administrative access to the provider's infrastructure yields nothing readable.
Enterprise Scale
Why Most Platforms That Claim Zero-Knowledge Do Not Deliver It at Enterprise Scale?
Several cloud storage and file sharing platforms market zero-knowledge encryption. The practical limitations of most implementations create gaps that matter for government, defense, and regulated-industry buyers.
Scope limitations
Many zero-knowledge platforms encrypt file contents but not file names, folder structures, or sharing metadata. Others apply zero-knowledge to storage but not to messaging, video conferencing, or eSignature workflows. DekkoSecure applies zero-knowledge across every content type on the platform, including file names, message subjects, meeting topics, signed documents, and associated metadata.
Feature trade-offs
A common criticism of zero-knowledge architecture is that it limits platform functionality. Because the provider cannot read the data, features like server-side search, content indexing, real-time co-editing, and automated content scanning are either unavailable or must be re-engineered to work client-side. Some providers compromise by decrypting data on the server for certain features, which breaks the zero-knowledge guarantee. DekkoSecure maintains its zero-knowledge model across all features without compromise. Where functionality requires processing content, it happens in the user's browser, not on the server.
No enterprise governance
Consumer-oriented zero-knowledge platforms (such as Tresorit, Proton Drive, NordLocker, and Sync.com) provide strong encryption for individual users and small teams. However, they typically lack the governance, compliance, and operational controls required by government and high-assurance enterprise environments. These include IRAP PROTECTED assessment, CJIS Security Policy alignment, sovereign hosting in multiple jurisdictions, structured collaboration spaces with role-based permissions, immutable audit logging for chain-of-custody verification, and integration with enterprise identity providers through SSO.
Account recovery design
A genuine zero-knowledge system creates a challenge for account recovery: if the provider cannot access the user's keys, the provider cannot reset a lost password and restore access to encrypted data. Some platforms solve this by retaining a recovery key on the server, which undermines the zero-knowledge guarantee. DekkoSecure addresses this through its key management design without reintroducing provider-side key access. Organizations retain control through administrator-managed recovery mechanisms that do not require DekkoSecure to hold decryption keys.
DekkoSecure combines zero-knowledge data protection with the full operational control layer that government and regulated-industry organizations require. The zero-knowledge model does not come at the expense of enterprise governance. Both coexist in the same architecture.
Compliance
How Zero-Knowledge Architecture Supports Compliance Requirements?
DekkoSecure's zero-knowledge model directly addresses requirements within several regulatory and compliance frameworks.
IRAP PROTECTED (Australia)
The Australian Government ISM requires that classified information be protected from unauthorized access, including by service providers handling the data. DekkoSecure's zero-knowledge architecture ensures that even the platform operator cannot access PROTECTED-level content, satisfying the principle that information remains accessible only to personnel with the appropriate clearance and need-to-know.
Learn moreCJIS Security Policy (United States)
The CJIS Security Policy requires that criminal justice information be protected from unauthorized access at every point, including during storage by cloud service providers. Zero-knowledge architecture ensures that DekkoSecure as the vendor cannot access CJI, which aligns with the policy's intent to maintain law enforcement control over sensitive justice data.
HIPAA (United States)
The HIPAA Security Rule requires covered entities to implement safeguards that protect electronic Protected Health Information (ePHI) from unauthorized access. Zero-knowledge architecture ensures that ePHI stored on or transmitted through DekkoSecure remains inaccessible to the platform operator, reducing the number of parties with potential access to protected health information and strengthening the organization's compliance posture.
Learn moreGDPR (European Union)
GDPR Article 25 requires data protection by design and by default. Zero-knowledge architecture is one of the strongest possible implementations of this principle. Personal data processed through DekkoSecure is encrypted before it reaches the platform, and the platform has no ability to access it. This also has implications for breach notification under Article 33: because DekkoSecure cannot access the data, a platform-level breach would not constitute a breach of personal data in a readable form.
Products
Zero-Knowledge Applied Across DekkoCORE and DekkoDEMS
DekkoSecure's zero-knowledge model is not limited to a single product or feature set. It is the architectural foundation of both platforms.
DekkoCORE
DekkoCORE applies zero-knowledge across encrypted file sharing Hubs, secure messaging, eSignatures, and video conferencing. Organizations use DekkoCORE for cross-agency collaboration, defense supply chain workflows, and secure external partner engagement. The zero-knowledge model ensures that sensitive collaboration content remains invisible to DekkoSecure throughout its lifecycle. DekkoCORE is hosted in sovereign environments in Australia, the United States, Canada, and Switzerland.
DekkoDEMS
DekkoDEMS applies zero-knowledge across digital evidence ingestion, case-based workflows, chain-of-custody management, and prosecutor disclosure. Law enforcement agencies and justice-sector organizations use DekkoDEMS to manage body-worn camera footage, forensic files, interview recordings, and case documentation. The zero-knowledge model ensures that evidentiary material remains inaccessible to DekkoSecure while still supporting the audit and chain-of-custody requirements of judicial proceedings. DekkoDEMS is exclusively hosted in a sovereign environment in the United States.
In both products, the zero-knowledge guarantee is unconditional. It applies to every file, every message, every meeting, and every signature. It does not vary by subscription tier, deployment option, or content type.
Contact DekkoSecure
To discuss how DekkoSecure supports your organisation's compliance with the Australian Privacy Principles, contact the team.