Tresorit: A File Sync Service That Keeps Personal Data Off Servers with End-to-End Encryption and Zero-Knowledge Technology

TL; DR: Tresorit stands out in the file-sync industry with its end-to-end encryption and zero-knowledge technology. The service works with individuals and companies of any size, offering tools for web, desktop, and mobile devices along with a sophisticated sharing and auditing suite. Tresorit’s platform complies with HIPAA, CCPA, and GDPR, and its road map includes dynamic watermarking and fine-tuning email notifications for more effective communication.

When Tresorit launched in 2011, cloud file storage remained a novelty. Although major industry players had established market share, privacy experts had already begun ringing the alarm bell about the relative risk of storing unencrypted data in a public cloud. They warned that providers could scan the contents of uploaded files to feed personalization algorithms.

Peter Budai, Vice President of Product for Tresorit, said that data security and privacy were two concerns that led to the company’s launch.

“Tresorit was founded by three university students who were privacy-conscious and didn’t want to store their data somewhere in the cloud,” he said. “You don’t really have control where your data is stored.”

The three founders realized that where clients stored data was less important than how they stored it. They saw that safeguarding data before it went to the cloud was the key to maintaining security.

“The business was built on end-to-end encryption,” Peter said. “Everything you upload is encrypted before it’s uploaded, and only the uploader can access the documents.”

The cloud provider’s servers only see the encrypted data in an encrypted format they are unable to read, thus offering the best of both worlds.

Tresorit started as a middleware encryption layer for other cloud storages and later expanded to provide file storage for individuals and solopreneurs in 2013. The company expanded offerings to business customers in 2014.

It delivers products to both the individual and corporate markets, with a range of feature sets and storage space. Each plan comes with a free trial period, and Tresorit offers a free file-sending tool called Tresorit Send for one-off transfers.

Although cloud adoption accelerated as the 2010s wore on, the COVID-19 pandemic led to a spike as many companies shifted their operational models to accommodate remote work. Peter said that enterprise cloud adoption remains slow, but the pace has picked up since the pandemic. And many of the late adopters are companies in regulated industries that require special protections for data security.

Tresorit’s model relies on tresors, which are isolated spaces within an encrypted drive. Think of a tresor as a drive-within-a-drive; each tresor contains data and uses its own security and sharing settings.

For example, a small business might use one enterprise account that segregates data by department. A user could have access to a personal tresor plus the shared tresors for finance and human resources, but not those for marketing and IT. That approach differs from cloud solutions that rely on a single master directory tree to organize data or in-house partitioning that separates volumes on a file server.

“Our service works like any other cloud storage in terms of features and ease of use, but everything is designed with privacy in mind, and I’m proud of that. You can access it through a web interface or through desktop and mobile apps,” Peter said. “You can synchronize documents and create links to share or set up file request links where you ask others, for example clients or partners, to upload their files for you.”

Tresorit offers an intuitive control panel for sharing and auditing. With a single click, those with access to an account can see shared links and revoke them from one list, rather than search through folders looking for things they may have errantly shared.

Sharing works on a per-person or per-link model, with built-in options to have the link expire after a set number of days, password-protect the link, limit the number of times the link can be used, disable downloads, require an email address to view the document, or add other control features such as dynamic watermark that is coming soon.

Tresorit keeps detailed audit records, especially needed by enterprise users. Administrators can check the activities performed by other administrators, review recent file edits, track activity within a folder, and view logs of who accessed links. The audit trail even includes the IP address and browser client of those who click on a link, regardless of whether they had to specify an email address.

These tools to manage sharing and audit access are a core part of a robust security profile.

“You’re getting control over your information,” Peter said. “You don’t have to make compromises to get ease-of-use for your colleagues and your organization. And as an organization grows, this kind of control is an absolute must.”

Tresorit deploys end-to-end encryption using the AES-256 standard and zero-knowledge architecture. An end-to-end encryption approach means that data is encrypted at the point of origin and only decrypted again by the recipient. E2EE uses public-key cryptography to prevent any server or eavesdropper between the source and destination from seeing anything other than the encrypted data.

A zero-knowledge service, maintains the data encrypted at all times and without ever learning the password that secures it. A vendor with zero knowledge will store encrypted data but can never decrypt it or access user passwords in a readable format.

“I come from an engineering background, and I worked with the cryptographic team for my first five years at the company,” Peter said. “We are doing everything to provide a solution that is easy to use but with data protection. It’s a lot of work to design a software in that way.”

That level of privacy is essential for small businesses in regulated industries. A typical SMB may not have the resources to deploy a file-server cluster to keep its data in-house or secure it from external threats. With Tresorit, however, there’s comparatively little risk of information leakage. An SMB, or an individual, can gain enterprise-grade privacy protections that generally only enterprise companies with sophisticated IT teams deliver.

For example, Tresorit is fully compliant with the Health Information Portability and Accessibility Act, which means healthcare organizations required by law to follow HIPAA privacy and security protocols can rely on the service.

Tresorit also complies with the California Consumer Privacy Act and the General Data Protection Regulation. The CCPA governs California, where many tech companies reside, and the GDPR governs the European Union.

Tresorit is based in Switzerland with datacenters in Ireland. However, customers on a business or enterprise plan can select datacenters based in the United States, Canada, other parts of Europe, Singapore, or Dubai. Its platform has been independently tested and industry certified.

Tresorit offers a suite of tools to help individuals and business leaders manage and secure their data. The tresor model isolates data more effectively than a file-tree approach, and built-in audit and sharing tools help administrators protect against unauthorized access.

The questions of who shared or viewed a given document become much easier to answer.

Tresorit’s architecture delivers security and privacy strength that complies with the most stringent regulations governing the industry. E2EE and zero-knowledge practices mitigate the two most significant risks of working with a cloud-storage vendor — eavesdropping of data in transit and the vendor’s use of the data as it passes through the server. That framework ensures that of all sizes from SMBs to enterprises enjoy a cloud solution that meets HIPAA, CCPA, and GDPR requirements.

“We’re opening to larger and larger enterprises,” Peter said, referencing the company’s development road map. “We’re working on features that help our customers securely share files with external clients or customers, such as better email notification to make sharing more convenient for our customers. Another big thing coming up is dynamic watermarking. When you share a document using a link, the recipient sees a watermarked version of the document.”

That watermark will be customizable and aims to prevent the recipient from printing or downloading the document. Even if someone takes a screenshot, the watermark remains, indicating who accessed it on what date.

“Tresorit makes it convenient to use the cloud, but with the security of an on-premises solution,” Peter said.