Our guarantees for protecting your data: what's next after joining Swiss Post

Our guarantees for protecting your data: what's next after joining Swiss Post

Following our recent announcement about Swiss Post acquiring the majority of Tresorit’s shares, we want to address some of the frequently asked questions.

As we have highlighted, our commitment towards protecting our customers’ data and our values regarding privacy remain unchanged and are still the guiding principles for all our business decisions and our product development roadmap. Tresorit continues to provide the highest level of protection for all our users’ data, including individual and business customers. In this blogpost, we sum up the technology, regulatory and legal guarantees for this.

1) Technology guarantees

  • User files are protected with end-to-end encryption. In other words, except for the sender and the recipient, no third party can access their contents. As we have always argued, we could even store the files on CIA servers and they wouldn't be able to read them. Our end-to-end encryption guarantees that the entire encryption process happens on the client-side and encryption keys are stored locally, which means that we can never access the content of our users’ files – this means that we will never be able to hand them over to any third parties either.
  • We continue to perform regular security audits to maintain trust in the integrity of our encryption and security protocols. We are against encryption backdoors and intrusive mass surveillance and are worried to see that some EU countries are taking steps towards legislating for the large-scale use of government hacking techniques. However, we are confident that having Swiss Post as our majority shareholder does not have any impact on how we are subject to these techniques. We have carried out and plan to perform further independent audits to show that the security of our product and code is 100% aligned with our promises and the highest security standards. The results of our ongoing security audit will be published in autumn 2021.
  • Besides end-to-end encryption, we develop Tresorit further with data security and privacy in mind. These core values guide how we build our product, what features we include and how we solve technology challenges and problems – this will remain the same.

2) Regulatory guarantees

  • The regulatory framework doesn’t change. While we don’t have access to e2e-encrypted user files, we do have to access some user data in order to provide a service (such as payment data, addresses, some personal and business data like email addresses). How we treat this customer data is outlined transparently in our privacy policy and terms and conditions and is governed by strict international and national data protection regulations such as the GDPR, and the Swiss data protection laws.  This regulatory framework remains unchanged and will continue to guarantee the strongest protection for user data. Regardless of the change in our ownership, we continue to stay responsible for adhering to all data protection commitments we state in our privacy policy.
  • Transparency reports. In case of a criminal investigation, we do have to provide user data in accordance with the applying international laws – these also remain the same. We publish regular transparency reports about how we handle these requests and how many of them we receive, and we will continue to do so.
  • Our organization will keep its independence. As Tresorit will continue to operate as a separate legal entity (of which the majority shareholder is Swiss Post), we remain an independent organization and the sole primary data processor of all user data. The change in Tresorit’s ownership has no impact on how we handle our users’ data. As we remain a separate legal entity, our contracts, privacy policy and terms and conditions remain unchanged, providing users and customers with the security and data protection standards Tresorit is known for. On an organizational level, our independence means that Tresorit keeps its current organizational units, remains responsible for product development, cryptography engineering, as well as marketing and sales operations, and will be the sole interface for customer communications.
  • Tresorit’s founders remain minority shareholders and keep their management roles. While Swiss Post has become a majority shareholder, our founders stay minority shareholders and keep their management positions and responsibilities as well. This means continuity on the highest level of decision-making, too. As our founders will continue to shape Tresorit’s strategy and be responsible for operations, they act as a guarantee for living up to our values and promises regarding data security and privacy.

In addition to all these guarantees, we continue to speak up for strong encryption and privacy rights as we have always done. We believe that a strong partner like Swiss Post will also help us amplify our voice in this discussion.

If you have further questions, please contact our Customer Support team.