Why can’t Docyt employees see my data?

Every Docyt user gets a Secure Key (RSA-2048 bit private key) which is generated for you when your account is created. This secure key is encrypted further using a special type of key which is generated by combining:

1. User’s PIN: This is known only to the user.
2. A split knowledge, dual-control key: This is known to our servers and no one else. This special key is split into two components, each of which is stored in a different secured location and managed by a different Docyt employee. Any time our servers restart, both parts of this key must be manually entered by both employees – much like a nuclear launch panel. These two components are securely combined in memory when Docyt servers start and are not saved to disk. If server loses power, this key is wiped out from memory.

Having such a setup for saving secure keys ensures that not even Docyt employees can look in to your private data. This is also why it is extremely important to protect your account PIN, and never share it with any one.

How is my data really encrypted?

When you sign in to Docyt from your authenticated device, your PIN and the dual-control key is used by Docyt servers to decrypt and retrieve your unique Secure Key. We then use this Secure Key as a password for the AES-256 bit encryption that encrypts every document or data that you upload. Even the sensitive fields for documents (for e.g. SSN, account numbers) are encrypted using the same mechanism as the document files. Hence all data that sits in our disks is encrypted, and can only be decrypted by your device. In the extreme case of physical theft of our disks, all such encrypted data on them will be useless.

The RSA-2048 bit and AES-256 bit encryption algorithms are widely accepted as the highest level of encryption algorithms for bank and military grade security. Any time your secure keys or PIN are in transit, between our servers or between your phone/browser and our servers, the communication is encrypted using HTTPS+TLC.

How does sharing with another Docyt user work?

When you share a document with another Docyt user, Docyt gives this other user’s Secure Key an access to this document. When you revoke their access, we revoke their Secure Key’s access to your document.

It is important to note that these protections do not extend if you email a document or export the document out of Docyt to other applications.

What happens if I forget my PIN?

We save your Secure Key in your iPhone’s iCloud Keychain. This is a rock solid secure framework built by Apple to secure your passwords and other sensitive information. When you provide your PIN to sign in to Docyt, you are essentially opening the lock on iCloud Keychain. If you forget your account PIN, and click on the “Forgot PIN” link, we ask your phone number and send a secret code via text message to the primary phone number connected with your account. Upon providing this secret code, we let you set your new PIN, which unlocks iCloud Keychain and retrieves your Secure Key. We then encrypt this Secure Key with your new PIN.

Read about how Apple iCloud Keychain works

Can someone steal my phone and access my data?

If your phone is stolen, then to access your data someone needs to first be able to get past your phone PIN screen, as well as your Docyt PIN. We recommend enabling and setting up your fingerprint on your phone for extra level of security. With fingerprint enabled, Docyt will ask for your fingerprint before displaying any information about your extra sensitive documents (like SSN, Account Numbers, Tax Documents etc.).

We highly recommend that all Docyt users keep their phones locked with a strong password/PIN and enable the manufacturer provided fingerprint based authentication.

I lost my phone. How do I get my data back?

Your Docyt account is strongly tied to your primary phone number, which you used to create your account. This primary phone number is where we send a secret 2-Factor authentication code by text message, any time we detect a major change in your account, or if you are requesting a reset of your Docyt PIN. If you lose access to this primary phone, the only way to continue with Docyt will be to talk to your telecom service provider and regain control of your primary phone number. After you regain your old phone number, you can use a new phone device, install Docyt on it, and provide your Docyt PIN during sign-in. At this point, if you have forgotten your PIN, your data can not be loaded on your new phone, and is lost forever. If you correctly provide your PIN, and enter the secret code sent on your primary phone number, Docyt app will re-download all your data back.

We do allow you to add your account on multiple devices, but the primary phone number is where we always send the 2-Factor authentication code. We highly recommend not to use Docyt with phone numbers that you may lose access to.

You should also always enable TouchID for your phone, for additional security.

What if some one hacks my phone number through my cell-phone carrier?

You are still protected with Docyt, as long as your PIN is not compromised. In order for someone to access your account data using the hacked phone number, they still need a phone device containing a copy of your Secure Key. This Secure Key is downloaded from our servers to a new phone device, only when a correct PIN decrypts the encryption on our server. Without the PIN, the hacker can’t look at your data.

If you lose access to your phone number, we recommend that you try to recover your old phone number by working with your cell-phone carrier. Once recovered, update your PIN immediately.