Q: What is zero-knowledge encryption?

Zero-knowledge encryption means the server never sees your plaintext data. DDSHARED encrypts all files client-side (in your browser or desktop app) before upload. The server stores only encrypted blobs. Your encryption keys are transported via URL fragment—never sent to the server. Even if DDSHARED servers were compromised, attackers would only find encrypted data they cannot decrypt.

Q: How are encryption keys generated and managed?

DDSHARED uses a layered key architecture: 1. Master Key (MK): 256-bit key generated client-side using Web Crypto API (CSPRNG) 2. Key Encryption Key (KEK): Derived from MK using HKDF-SHA256 3. Media Encryption Key (MEK): Unique 256-bit key generated for each file Each file is encrypted with its own MEK. The MEK is then wrapped (encrypted) with the KEK. Only the encrypted MEK is stored on the server. The master key travels only in the URL fragment (#key), which is never sent to the server per RFC 3986 .

Q: Where are encrypted files stored?

DDSHARED stores encrypted files on Cloudflare R2 , a zero-egress-fee object storage compatible with AWS S3. Files are encrypted client-side before upload to R2. R2 adds server-side encryption at rest (AES-256). This provides defense-in-depth: even if R2 were compromised, files remain encrypted with keys only you control.

Q: How does DDSHARED track file access?

DDSHARED maintains an append-only audit log for every file operation (upload, download, share, delete, permission change). Logs are immutable—they cannot be edited or deleted, even by DDSHARED administrators. Each audit entry includes: - User ID and IP address - Timestamp (UTC) - Action type - File ID - Success/failure status Audit logs can be exported for HIPAA compliance reporting and OCR inspections.

Q: Can DDSHARED staff access my files?

No. DDSHARED uses zero-knowledge architecture . Your files are encrypted client-side before upload with keys only you control. DDSHARED servers store only encrypted blobs. Even if DDSHARED engineers wanted to access your files, they cannot decrypt them without your master key (which never leaves your device).

Q: What happens if I lose my encryption key?

If you lose your master key (the URL with #key fragment), your files cannot be recovered . This is a fundamental property of zero-knowledge encryption. We recommend: 1. Save share links in a password manager (1Password, Bitwarden) 2. For practice files, use the desktop sync client (master key stored securely in OS keychain) 3. For critical files, create multiple encrypted share links and store in different secure locations

Q: How does DDSHARED prevent brute-force attacks?

DDSHARED uses multiple defenses against brute-force: 1. 256-bit keys: 2^256 possible combinations (more than atoms in the universe) 2. Rate limiting: Max 5 failed login attempts per IP per 15 minutes 3. CAPTCHA: After 3 failed attempts 4. 2FA support: Optional TOTP second factor 5. Key stretching: PBKDF2 with 100,000 iterations for password-derived keys Attempting to brute-force a 256-bit AES key would take longer than the age of the universe with all computers on Earth.

Q: How does DDSHARED handle security vulnerabilities?

DDSHARED maintains a responsible disclosure policy . Security researchers can report vulnerabilities to security@ddshared.com. We commit to: - Acknowledge reports within 24 hours - Provide initial assessment within 3 business days - Fix critical vulnerabilities within 7 days - Credit researchers in our security changelog (if desired) We also conduct annual third-party penetration testing and maintain a bug bounty program for critical infrastructure.

Question 1

What is zero-knowledge encryption?

Accepted Answer

Zero-knowledge encryption means the server never sees your plaintext data. DDSHARED encrypts all files client-side (in your browser or desktop app) before upload. The server stores only encrypted blobs. Your encryption keys are transported via URL fragment—never sent to the server. Even if DDSHARED servers were compromised, attackers would only find encrypted data they cannot decrypt.

Question 2

How does AES-256-GCM encryption work?

Accepted Answer

AES-256-GCM is a symmetric encryption algorithm standardized by NIST SP 800-38D. It provides both confidentiality (encryption) and authenticity (detection of tampering). GCM (Galois/Counter Mode) is faster than CBC mode and prevents padding oracle attacks. DDSHARED uses 256-bit keys—the strongest AES variant, providing 2^256 possible keys.

Question 3

How are encryption keys generated and managed?

Accepted Answer

DDSHARED uses a layered key architecture:

1. Master Key (MK): 256-bit key generated client-side using Web Crypto API (CSPRNG)
2. Key Encryption Key (KEK): Derived from MK using HKDF-SHA256
3. Media Encryption Key (MEK): Unique 256-bit key generated for each file

Each file is encrypted with its own MEK. The MEK is then wrapped (encrypted) with the KEK. Only the encrypted MEK is stored on the server. The master key travels only in the URL fragment (#key), which is never sent to the server per RFC 3986.

Question 4

Where are encrypted files stored?

Accepted Answer

DDSHARED stores encrypted files on Cloudflare R2, a zero-egress-fee object storage compatible with AWS S3. Files are encrypted client-side before upload to R2. R2 adds server-side encryption at rest (AES-256). This provides defense-in-depth: even if R2 were compromised, files remain encrypted with keys only you control.

Question 5

How does DDSHARED track file access?

Accepted Answer

DDSHARED maintains an append-only audit log for every file operation (upload, download, share, delete, permission change). Logs are immutable—they cannot be edited or deleted, even by DDSHARED administrators. Each audit entry includes:

- User ID and IP address
- Timestamp (UTC)
- Action type
- File ID
- Success/failure status

Audit logs can be exported for HIPAA compliance reporting and OCR inspections.

Question 6

Can DDSHARED staff access my files?

Accepted Answer

No. DDSHARED uses zero-knowledge architecture. Your files are encrypted client-side before upload with keys only you control. DDSHARED servers store only encrypted blobs. Even if DDSHARED engineers wanted to access your files, they cannot decrypt them without your master key (which never leaves your device).

Question 7

What happens if I lose my encryption key?

Accepted Answer

If you lose your master key (the URL with #key fragment), your files cannot be recovered. This is a fundamental property of zero-knowledge encryption. We recommend:

1. Save share links in a password manager (1Password, Bitwarden)
2. For practice files, use the desktop sync client (master key stored securely in OS keychain)
3. For critical files, create multiple encrypted share links and store in different secure locations

Question 8

How does DDSHARED prevent brute-force attacks?

Accepted Answer

DDSHARED uses multiple defenses against brute-force:

1. 256-bit keys: 2^256 possible combinations (more than atoms in the universe)
2. Rate limiting: Max 5 failed login attempts per IP per 15 minutes
3. CAPTCHA: After 3 failed attempts
4. 2FA support: Optional TOTP second factor
5. Key stretching: PBKDF2 with 100,000 iterations for password-derived keys

Attempting to brute-force a 256-bit AES key would take longer than the age of the universe with all computers on Earth.

Question 9

Is DDSHARED SOC 2 compliant?

Accepted Answer

DDSHARED is currently pursuing SOC 2 Type II certification. Our infrastructure is designed with SOC 2 controls in mind: encrypted data at rest and in transit, role-based access control, audit logging, security monitoring, and annual penetration testing. Contact our team for current compliance status.

Question 10

How does DDSHARED handle security vulnerabilities?

Accepted Answer

DDSHARED maintains a responsible disclosure policy. Security researchers can report vulnerabilities to security@ddshared.com. We commit to:

- Acknowledge reports within 24 hours
- Provide initial assessment within 3 business days
- Fix critical vulnerabilities within 7 days
- Credit researchers in our security changelog (if desired)

We also conduct annual third-party penetration testing and maintain a bug bounty program for critical infrastructure.

Question 11

What encryption standards does DDSHARED follow?

Accepted Answer

DDSHARED follows industry-standard cryptographic practices:

- Encryption: AES-256-GCM per NIST SP 800-38D
- Key derivation: HKDF-SHA256 per RFC 5869
- Random generation: Web Crypto API (CSPRNG)
- Transport: TLS 1.3 (ECDHE_RSA with AES-256-GCM)
- Password hashing: Argon2id (winner of Password Hashing Competition)

We do not implement custom cryptography. All algorithms are standard, peer-reviewed, and NIST-approved.

Question 12

Does DDSHARED support end-to-end encryption for sharing?

Accepted Answer

Yes! When you create a share link, the recipient gets a URL with the encryption key in the fragment (e.g., ddshared.com/share/abc123#key=xyz). The key never leaves the URL—it is not sent to the server. The recipient decrypts the file client-side in their browser. This provides true end-to-end encryption: only sender and recipient can decrypt the file.

Zero-Knowledge Architecture — Server Never Sees Plaintext PHI

What is zero-knowledge encryption?

How does AES-256-GCM encryption work?

How are encryption keys generated and managed?

Where are encrypted files stored?

How does DDSHARED track file access?

Can DDSHARED staff access my files?

Cryptographic Standards & Compliance

Encryption

Key Derivation

Random Generation

Transport Security

Password Hashing

HIPAA Compliance

Security FAQs

Zero-Knowledge Security for Your Practice