Workspace adheres to the highest standards to protect the data it accepts and stores on behalf of organizations. A user's communication with the server is negotiated over TLS. Workspace supports only the recommended TLS 1.2 and 1.3, with modern cipher suites enabled, ensuring that data in transit is not compromised by less-secure devices or communication methods. Workspace uses strong encryption for all data in the system, including AES256 for data at rest.

Ingest Workflow

1. When a user initiates an upload, a file on the user's device is broken up into chunks and uploaded through Workspace to be placed individually into the encrypted process store in an organization-specific location.
2. Once an upload is complete, an event triggers the creation of a readable stream from the individual chunks. This stream is used for antivirus scanning, MIME detection, and encrypting the data to an organization's object store.
3. The temporary data blocks are removed as soon as the ingest process is complete.

The process of encrypting the object store involves several services to handle relationship, location, and key management. The main storage service splits the incoming stream into two pipes: one feeds a hash of the incoming file, and the other is directed to the encryption module.

The encryption module communicates with the policy service and key service in the DSec Secure File Platform subdomain. These return the cipher, Data Encryption Key (DEK), and Initialization Vector required to encrypt the data alongside the location and credentials used to write the specific file to the organization's Object Store.

Although the algorithm used for file encryption is configurable, the default and preferred method is AES256 CTR due to its ability to support byte-range access, which is required for media files.

The DSec subdomain in the Secure File Platform contains key and policy services, as well as the virtual security model (VSM).

The key service holds an encrypted version of the key (DEK) and IV, which are used to encrypt a file on behalf of a client application. This encrypted data blob is associated with the Key Encryption Key (KEK) identifier returned by the VSM at key generation.

The policy service holds encrypted policy information for an organization, including the encryption methods to use and how to communicate with the organization store.

As an organization's policy can change, the policy service also holds a relationship between a specific organization policy and the individual file. The encrypted data blobs are associated with the KEK identifier returned by the VSM at encryption time.

The VSM is used to generate cryptographic keys and encrypt small blobs of data. Keys and IVs that are used to encrypt data blobs are themselves encrypted using the organization's VSM key. An organization's VSM key may be rotated, and hence, the data is associated with the VSM key identifier.

File Retrieval

When a user requests a file for download, after passing Workspace authorization checks, the encryption and location are collected from DSec by the Secure File Platform Serve service, and a read stream is created from the encrypted Object Store.

This read stream passes through the Secure File platform decryption module, traversing the workspace and directly back to the client via TLS.