How is security guaranteed in TrustCase?
The TrustCase application was developed to provide F24 customers with a secure and reliable messenger app to exchange company-critical data during crisis management. The market did not offer a suitable solution that met our expectations.
All messages from sender to recipient are end-to-end encrypted. Message contents cannot be read by any intermediate components such as networks and servers. The app’s architecture is designed to avoid generation of unnecessary metadata.
TrustCase is an effective and easy way to coordinate team collaboration. Tasks can be quickly created and assigned. The current status of task processing can be tracked in an overview. Tasks from other systems can be integrated using the integrated API interface.
Where are the servers located?
The TrustCase servers only store data that are essentials for message transmission. The servers are located in Frankfurt am Main, Germany, and are thus governed by German law. The data protection level imposed by the German Data Protection Act (BDSG in german) is known as one of the most rigorous in the world. In addition, the requirements of the EU data protection basic regulation are complied with.
Here is some information on the basic handling of the data:
The basic principle behind the TrustCase app is to provide a highly secure business messenger service with a range of practical functions. Storing or managing data is not in line with this principle (for more information, see Settings -> Data Protection).
The TrustCase server is used to transmit messages and data. Temporary storage of the data on the servers is necessary during the period required to transmit the message. External interception of data during transmission is futile because all messages and media are end-to-end encrypted and can thus only be decrypted by the recipient with the appropriate key.
No data in plain text format is stored. Telephone numbers are stored in anonymised (hashed) form, while content, profile names and profile images are exclusively stored in encrypted form. The keys are not known to TrustCase.
You manage your contacts yourself on your device. When you synchronize your TrustCase contacts with your phone book, the data is anonymized and sent to the TrustCase servers and then erased. Each user ID is assigned to a key pair (private key and public key, see "Meaning of the user ID?" Below). As the respective keys are generated in a decentralized manner on individual devices, TrustCase is also the private key and, therefore, the consideration required for decryption is not known. User identifiers and public keys generated by TrustCase itself are not encrypted, since they are used for the exchange of end-to-end encrypted messages.
Meaning of user ID
After registration, a user ID is assigned to each user with their mobile phone number. This 8-digit ID is randomly generated and consists of a combination of letters and numbers. The user ID allows anonymous use of the TrustCase application. This identifier is not transferable and cannot be used on several devices. The TrustCase User ID is assigned with a key pair consisting of a private key and a public key. The private key is stored on the mobile phone, the public key is distributed to your contacts via the TrustCase server. If one of your contacts writes you a message, it will be encrypted on their device with your public key. Only you can decrypt these messages with the appropriate counterpart, your private key.
Restrict access in the application
In the TrustCase app, you have the option of restricting all access from the start as well as afterwards. For example, if you do not want to allow access to your contacts in the directory (although we do not see the data), you can refuse it. You will not receive contacts from your phone book in your TrustCase contacts. You can always add contacts yourself by scanning the QR code of other TrustCase users and asking them to scan your QR code as well. Another option is to use the FACT24 TrustBroker to get contacts in the TrustCase application.
You can make changes to accessing TrustCase in your iOS device at: Settings -> TrustCase
With Android, access can be managed under:
Settings -> Applications and notifications -> Application permissions
The QR code can be generated in iOS without a fingerprint if you don't want to store biometric features in your smartphone. A short message will appear indicating that the finger should be placed on the phone, but you can continue without it. With Android devices, the QR code is displayed directly because the subject "Touch ID" is not so common.
The TrustCase App as well as FACT24 and the crisis management tool F24 are subject to annual penetration tests carried out by the renowned independent company Syss GmbH. The corresponding certificates attest to a high level of security of our systems.