v0.4 Last Updated: 17/05/2021
This security policy relates to the Revoke service (the “Service”) operated by Revoke Limited (“Revoke”, “us”, “we”, or “our”). Revoke Limited is a company registered with the Jersey Financial Services Commission, Registration Number 124314.
At Revoke, we care deeply about privacy and security.
This policy outlines the steps we have taken to ensure that any data we store or transmit is secure and protected appropriately.
We use advanced levels of encryption of data at rest and in transit at the message and transport layer including use of the following;
We treat personal data very carefully.
We ensure that all data is encrypted, when it is on your device, when it is being transmitted, and when it is stored with Revoke.
Each user has a unique Private Key on their phone for decryption. This Private Key is derived by a random number generation process. A corresponding Public Key is used for encryption. These keys are known as a Key Pair.
To ensure the Key Pair is completely random and impossible to re-generate, the user is required to perform non-predictable, non-reproducible actions.
The actions are device and application permission dependant but include one or more of:
All data on a user’s device is encrypted using AES256 encryption with a randomly generated password. The password for each item of data is encrypted using a suitable Public Key.
Data is decrypted using a Private Key, accessed with a user-defined PIN.
Information sent to and from third parties containing restricted or sensitive personal data is protected and secured by cryptographic certificates.
Certificates are based on the X509 standard but utilising a json format to allow extended attributes not supported in the native x509 certificate format.
In addition to encryption at the message layer, HTTPS is used to encrypt the transport layer between all services.
Revoke provides an API for companies to query and match customer records, in order to automate responding to requests.
It is essential that no personal data is divulged as part of this process, and that company customer data is protected.
All the data sent by the company to Revoke is masked and anonymised using cryptographic operations to provide a secure data store without compromising the personal data of the customer or the commercially sensitive data company.
A customer record from a client company consist of two primary elements:
Each company record requires a unique reference that has relevance in the client company customer database. This is to provide a mechanism to link a Revoke record or data protection request with an actual customer.
In order to protect the customer reference field, the company encrypts the data incorporating its Private KeyCurve25519 using secret box encryption.
The customer record contains one or more matching fields. A criteria field is a unique piece of information connected with the end customer. This can be for items such as “email address”, “first name”, “last name”, “postcode” etc. The company can supply any number of matching fields based on the size and type of customer data contained within their systems.
Prior to transmission, matching field data is protected by two rounds of BlakeB hashing. This ensures that any sensitive commercial or personal information is completely protected against any misuse by a third party. The Revoke data protected mechanism offers three fundamental levels of security:
In order to suitably protect the sensitive data sent by the company to Revoke, the following algorithm is implemented:
Note: For added security, the raw secret key agreement value should be protected by utilising a key derivation function (KDF) such as a HMAC or hash.
Notes:
The above process has the following advantages:
Users send the same matching information to Revoke utilising a similar approach. The notable difference is that the process is split into two parts with the user’s device performing the initial hash with the Revoke public key.
The Revoke services then use the data sent from the user’s device to pre-compute a hash table containing the relevant data for the onboarded companies. This process uses the Revoke private key and the specific company public key to generate the same shared secret used by the company.
The Revoke system will take all new masked data submitted by users and construct a suitable reference system to enable searching in a timely manner. The system will in effect pre-calculate all the potential match results for the customer and company userbase held in an efficient and secure data storage.
Request is made via a HTTPS/SSL communication using a simple REST/SOAP call.
Each request sent to the Company API contains:
Payload requests are encrypted using secret box encryption as this removes the need for the company to track and maintain a unique number used once value.
Revoke is committed to maintaining the security of our systems and protecting sensitive information from unauthorised disclosure.
We will not take legal action against security researchers acting in good faith in relation to the discovery and reporting of a potential security vulnerability. This is provided that all such potential security vulnerabilities are discovered and reported strictly in accordance with this Responsible disclosure statement.
Should you discover any personal, financial or proprietary information please do not proceed any further and contact us immediately.
Please email security@revoke.com to disclose potential security vulnerabilities
We take security seriously which is why we’ve been assessed and certified for addressing cybersecurity effectively and mitigating the risk from Internet-based threats.