Twake is Secure by Design

When it comes to team efficiency, collaboration and all activities related to teamwork, such as group messaging, document sharing and storage, task management, team calendar, video conferencing, and screen sharing, are important tools.

Twake provides these vital team-work tools with the highest standards of reliability, privacy and security. Twake has created a highly open and stable architecture based on established technologies to better meet these needs.

End-to-End Encryption

Coming Soon!

In order to always improve our security, next version of Twake will include full end-to-end encryption for direct and private channels.

Point-to-Point Encryption

We do everything we can do to protect your personal and professional data. Your data is encrypted before being sent to the database (encryption at rest) and we use TLS for communications (encryption in transit).

Located in Europe

All the Twake servers are located in France and so is your data. We use OVH as our main provider.

Secure Protocols

We use HTTPS for unidirectional traffic encryption and WSS for bidirectional real-time traffic encryption. Passwords are hashed with PBKDF2. Files are encrypted with OpenSSL AES-256-CBC with a key composed of three parts stored in database, in code, and in the server configuration.
Our Web Socket communication has an extra layer of security using AES front-end encryption with rotating random keys. And finally, our database is encrypted with OpenSSL AES-256-CBC.

Secure Real-time collaboration

Web Sockets are used for real-time collaboration. It is used in Messages for real-time messaging, but also in Drive, Calendars, and Tasks. We use PubSub architecture, which means that a client can Subscribe to a room and then will receive any data Published by other clients in this same room. The PHP Server can itself send data to this room, we call this action a Push.

In order to keep Web Sockets data exchanges secure keeping the Web Sockets server the most simple possible, we exchange encrypted data only with an evolutive encryption key.
Only the PHP server verifies the client access rights and generates a new key for everyone. Because the complete key is never sent over the Web Sockets Server, the only way to get a correct encryption key is to ask the PHP Server.

High Scalability and Fault Tolerance

Twake is built on scalable technologies and allows us to scale to million users but also to be fault-tolerant. We define two kinds of replication, hardware replication, and software replication.

Hardware replication in case of a hard disk crash or network issue is managed by our infrastructure provider OVH. OVH distributes data within clusters that have triple replication for each object. These replicas are placed on both different disks and servers, to ensure their longevity. You can find more information about how they manage these issues through the below links:

check_circleServers:
https://www.ovhcloud.com/en/public-cloud
check_circleObject storage and backups:
https://www.ovhcloud.com/en/public-cloud/object-storage/

Software replication is done by us and we added an additional security layer. Each middleware and node used by Twake are replicated at least three times. In the rare case of a node failure, our system automatically alerts us and starts using the remaining available node until we operate and fix the broken node.

Secure file storage

Twake stores encrypted binary files in a documented repository. In the SaaS version, we use OVH Swift Object Storage to store our encrypted files. In the On-Premise version, you can use any S3 or Swift Object Storage provider like MinIO for instance.

Documents uploaded to Twake drive are encrypted using AES-256 standard with a key built using three strings:

check_circleA static in code string salt;
check_circleA configured salt defined during Twake installation;
check_circleA random key is generated for each document and stored in the database.

The three strings are required to decrypt binary documents stored in Twake drive or in Messages attachment.
PHP servers verify client rights before each decryption of documents.

Database Encryption

Data is stored in ScyllaDB encrypted databases and searchable entities will be stored in Elastic Search but only identifiers will be available over Elastic Search.

Any data (except non-sensible data like identifiers, dates, and counters) stored in ScyllaDB is encrypted using OpenSSL AES-256-CBC.

We provide advanced search features to our product Twake using Elastic Search to index our entities. Entities are not stored in Elastic Search and only indexes will be available if Elastic Search servers are compromised.

Jitsi

We use Jitsi for video-conferencing. Jitsi is a very simple software that takes the URL components to generate the video-conference unique name. Each conference generated in Twake is basically a long token used as a room unique name and is stored nowhere else than in our database.

In the SaaS version, the Jitsi servers are managed by Twake itself. In the On-Premise version, Jitsi can be disabled if not used, or it can be installed locally or using Jitsi servers directly.

ONLYOFFICE

We use the ONLYOFFICE office suite for real-time collaboration and editing of Microsoft Office and Open Office documents. ONLYOFFICE provides an API, which is used to communicate with our document storage server via our PHP server.

When a user wants to open an Office document, a request to the PHP server is made. This server verifies access rights and generates a new random token. This token is sent to the user who can build a new URL used by ONLYOFFICE to retrieve the document. This URL makes a request to the PHP server which verifies the token given in this same URL and returns the requested document to ONLYOFFICE. ONLYOFFICE puts this document in the cache for real-time editing and destroys it after that. The same process is repeated when the document is saved.

In the SaaS version, the ONLYOFFICE servers are managed by Twake itself. In the On-Premise version, ONLYOFFICE can be disabled if not used, can be installed locally, or can be used under ONLYOFFICE SaaS offer.

Random Token Generation

For random token generation, we use the PHP built-in random_bytes function with bin2hex if needed on the PHP side. In addition to that, we use the crypto library with randomBytes from NodeJS and the front-end side.

Secure Password Storage and Authentication

Passwords are not stored in clear, only a hash of it is stored in the database. We use the hash_pbkdf2 method with a randomly generated salt for each user.

SQL Injection

Each database access uses Doctrine ORM sanitization before write or reads, we never use custom access to the database to reduce risks of injection. We developed a middleware to use the ScyllaDB database, but this middleware works after Doctrine ORM sanitization.
On NodeJS, we also implemented an ORM for all database access to keep this level of security.

Frequently Asked Questions

Where can I find the latest security document of Twake?

For the latest version of the security document, please visit twake.app. The security document presents how Twake manages data security. Because we are constantly improving our security algorithms, some specifications can be currently deployed in production or currently planned.

How can you contact us?

Please feel free to contact us on helpdesk@twake.app for any kind of questions.

How do you manage backups?

We backup our encrypted database and your encrypted documents in OVH Object Storage. We keep a backup of each month and a backup of the last seven days.

How do you manage security with third-party applications and modules?

We cannot guarantee the security of the data you send to third-party applications and modules. If you work with an external app like Zapier or Giphy, they will have access to some of your information. You can see the access scope of an application before adding it to your company.

What if I want to export all my data?

We do not provide an export feature on the software itself. But we can export your data on-demand. We can export your data in 2 business days, depending on how you have used Twake and how much data you need to export (files, calendars, metadata, etc.). We do not have direct access to your files, but you will be able to download them using the file identifiers generated in the exported files and your Twake account.