From the moment you sign up, your data is protected with bank/military grade encryption. We encrypt data at rest, on the disk, between browser/phone and our servers, between our servers and partner services, and all communications between our servers.
Docyt has default 2-factor authentication. Every time a change is detected, or an important document is shared, we send a text message with an authorization code on your primary phone. Any unusual activity is also immediately reported on your verified email.
It is intentional that Docyt is not available on devices with poor or non-existent fingerprint based sign-in. Fingerprint based sign-in not only fastens the process, but also secures your pin from prying eyes. We have additional security features coming in soon that utilize fingerprint authentication.
Your account and data is locked to your primary phone, and any other authenticated phones you add. The data on the cloud can only be decrypted by your device. Combined with your PIN, authenticated device, and fingerprint based encryption keys, it is next to impossible to steal your data.
Whenever available, we use the highest protocols and frameworks for cloud services authentication. These standards offer higher levels of protection, when your data is being transferred from one cloud service to another. We actively check for updates to these protocols.
Docyt performs comprehensive tests spanning many aspects of how different systems interact. These tests are the gold standard of online information exchange security. These same rigorous standards are used by PayPal, Visa and online banking services.
Every Docyt user gets a Secure Key (RSA-2048 bit private key) which is generated for you when your account is created. This secure key is encrypted further using a special type of key which is generated by combining:
Having such a setup for saving secure keys ensures that not even Docyt employees can look in to your private data. This is also why it is extremely important to protect your account PIN, and never share it with any one.
When you sign in to Docyt from your authenticated device, your PIN and the dual-control key is used by Docyt servers to decrypt and retrieve your unique Secure Key. We then use this Secure Key as a password for the AES-256 bit encryption that encrypts every document or data that you upload. Even the sensitive fields for documents (for e.g. SSN, account numbers) are encrypted using the same mechanism as the document files. Hence all data that sits in our disks is encrypted, and can only be decrypted by your device. In the extreme case of physical theft of our disks, all such encrypted data on them will be useless.
The RSA-2048 bit and AES-256 bit encryption algorithms are widely accepted as the highest level of encryption algorithms for bank and military grade security. Any time your secure keys or PIN are in transit, between our servers or between your phone/browser and our servers, the communication is encrypted using HTTPS+TLC.
When you share a document with another Docyt user, Docyt gives this other user’s Secure Key an access to this document. When you revoke their access, we revoke their Secure Key’s access to your document.
It is important to note that these protections do not extend if you email a document or export the document out of Docyt to other applications.
We save your Secure Key in your iPhone’s iCloud Keychain. This is a rock solid secure framework built by Apple to secure your passwords and other sensitive information. When you provide your PIN to sign in to Docyt, you are essentially opening the lock on iCloud Keychain. If you forget your account PIN, and click on the “Forgot PIN” link, we ask your phone number and send a secret code via text message to the primary phone number connected with your account. Upon providing this secret code, we let you set your new PIN, which unlocks iCloud Keychain and retrieves your Secure Key. We then encrypt this Secure Key with your new PIN.
Read about how Apple iCloud Keychain works
If your phone is stolen, then to access your data someone needs to first be able to get past your phone PIN screen, as well as your Docyt PIN. We recommend enabling and setting up your fingerprint on your phone for extra level of security. With fingerprint enabled, Docyt will ask for your fingerprint before displaying any information about your extra sensitive documents (like SSN, Account Numbers, Tax Documents etc.).
We highly recommend that all Docyt users keep their phones locked with a strong password/PIN and enable the manufacturer provided fingerprint based authentication.
Your Docyt account is strongly tied to your primary phone number, which you used to create your account. This primary phone number is where we send a secret 2-Factor authentication code by text message, any time we detect a major change in your account, or if you are requesting a reset of your Docyt PIN. If you lose access to this primary phone, the only way to continue with Docyt will be to talk to your telecom service provider and regain control of your primary phone number. After you regain your old phone number, you can use a new phone device, install Docyt on it, and provide your Docyt PIN during sign-in. At this point, if you have forgotten your PIN, your data can not be loaded on your new phone, and is lost forever. If you correctly provide your PIN, and enter the secret code sent on your primary phone number, Docyt app will re-download all your data back.
We do allow you to add your account on multiple devices, but the primary phone number is where we always send the 2-Factor authentication code. We highly recommend not to use Docyt with phone numbers that you may lose access to.
You should also always enable TouchID for your phone, for additional security.
You are still protected with Docyt, as long as your PIN is not compromised. In order for someone to access your account data using the hacked phone number, they still need a phone device containing a copy of your Secure Key. This Secure Key is downloaded from our servers to a new phone device, only when a correct PIN decrypts the encryption on our server. Without the PIN, the hacker can’t look at your data.
If you lose access to your phone number, we recommend that you try to recover your old phone number by working with your cell-phone carrier. Once recovered, update your PIN immediately.