Ernst & Young review verifies Tresorit’s security architecture

Almost 10 years ago now, we founded Tresorit because we had an alarming suspicion. A suspicion which, despite many naysayers, would soon prove all too true. Although the cloud was a promising innovation at the time, we could already foresee complications which would come hand in hand with the new technology. To put it simply, we started Tresorit because we knew that we could not trust mainstream services with our data, and that big tech’s data mining practices would have consequences for years to come.

Our main mission was to create a safe haven in the cloud for everyone. As engineers, we understand the ins and outs of other file sharing services, and how customers are expected to compromise their data security and privacy in exchange for convenient features. We wanted to change that; we wanted to put the individual and business back in control of their own data with a Zero Knowledge, end-to-end encrypted solution which is private by design.

But how could we ensure that our customers don’t struggle with the same feelings we did when we founded Tresorit? To prove that they can trust us with their most business-critical information, worth hundreds of millions of dollars? Until now, they’ve had to take our word for it and judge by their experience with the service. But not anymore.

Without further ado, we’re delighted to announce that Ernst and Young has concluded an independent security assessment of our service and verified our security architecture.

How come we went this route, you’re wondering? Read on for the full story.

There is a saying in information security that “trust is good, but validation is better.”

We’d been mulling over the right way to both be as transparent as possible and protect our technology, so that we can continue to give the best possible service to our users. First, we published a white paper with details of our security architecture and encryption standards. Following that, we still felt that we were neglecting a large segment of our user base who might not have the IT background to follow what it is we do and how. So what came next?

We wanted something universal and easy to grasp for everyone.

With ISO 27001 and TÜV already in place, validating us as a company, we wanted to take our transparency process to the next level and undergo an independent security evaluation. Something which would bring business decision makers, tech savvy or not, peace of mind about our solution, leaving no doubt about our credibility. In other words; validation from a trusted source, and definitely someone with the capability to evaluate such complex encryption architecture. This is how we came to work with Ernst & Young (EY), the global leader in information technology and service, whose technical team was more than up to the job and came backed with a huge amount of experience in the cryptography field.

EY quickly understood our mission and what came next.

They offered us a three-stage evaluation procedure, each section focusing on a key aspect of our solution:

• Penetration testing: Measuring how secure Tresorit is and how difficult it is for external malicious parties to break into our service.
• Source code review: Looking into the core of Tresorit to see if the technology truly operates as its meant to without generating unnecessary risks.
• and finally, Market edge & Key differentiator review: Evaluating Tresorit’s cryptographic features to validate our security claims with solid evidence.

While these components are already something we constantly check and review, having it done by an objective third party is, of course, a different ballgame.

What EY has to say about their assessment of Tresorit.
Mihaly Zala, Cybersecurity, Technology Risk and Technology Consulting Leader at EY, summarizes their findings:

“We paid specific attention to Tresorit’s claim regarding end-to-end encryption and to identify potential security deficiencies during the security review. Our assessment concluded that Tresorit ensures high confidentiality by encrypting data on the client-side and in a way that Tresorit servers and employees never receive cleartext data or the encryption keys.”

As an organization which knows the importance of putting your trust (and information) in the right service, we are very excited to share EY’s assessment so that moving forward, no one will have to feel unsure about providing us with their confidential data. Taking this step as a company also demonstrates our continuous commitment to providing top of class data security and transparency. Given this peace of mind, our users and potential future customers can feel as confident as we do in our solution.