Skip to main content
Genie9

Security Practices - Nygma.ai

Last Updated: March 18, 2025

This Security Practices document outlines the comprehensive security measures implemented by Genie9 LTD ("Genie9", "we", "us", or "our") to protect the Nygma.ai service ("Service") and user data. This document is provided for transparency and to help users understand our security commitments.

1. Zero-Knowledge Encryption Architecture

1.1 Client-Side Encryption

Encryption Implementation:

  • • All user data encrypted on the client device before transmission
  • • AES-256-GCM encryption for file content
  • • ChaCha20-Poly1305 for performance-critical operations
  • • RSA-4096 or ECDH P-384 for key exchange
  • • No plaintext data ever transmitted to our servers

Key Management:

  • • Encryption keys generated on user devices using cryptographically secure random number generators
  • • Master keys derived from user passwords using PBKDF2 with SHA-256 and minimum 100,000 iterations
  • • Individual file keys generated independently for each encrypted item
  • • No encryption keys stored on our servers

Zero-Knowledge Guarantee:

  • • Technical impossibility for Genie9 to access user content
  • • Server systems designed to operate on encrypted data only
  • • No backdoors or master keys that could compromise user privacy

1.2 Authentication Security

Secure Authentication Protocol:

  • • Challenge-response authentication without password transmission
  • • SRP (Secure Remote Password) protocol implementation
  • • Protection against password interception and replay attacks
  • • Session management with cryptographically secure tokens

Multi-Factor Authentication:

  • • TOTP (Time-based One-Time Password) support
  • • Hardware security key compatibility (FIDO2/WebAuthn)
  • • SMS backup authentication (where supported)
  • • Recovery code generation for account recovery

2. Data Protection Measures

2.1 Encryption Standards

Symmetric Encryption:

  • • AES-256 in Galois/Counter Mode (GCM) for authenticated encryption
  • • ChaCha20-Poly1305 as alternative for performance optimization
  • • Authenticated encryption prevents tampering and forgery
  • • Regular review and update of cryptographic standards

Asymmetric Encryption:

  • • RSA-4096 for key exchange and digital signatures
  • • Elliptic Curve Cryptography using P-384 curves
  • • Perfect Forward Secrecy for all communications
  • • Post-quantum cryptography research and planning

Key Derivation:

  • • PBKDF2 with SHA-256 hash function
  • • Minimum 100,000 iterations for password-based keys
  • • Unique salt values for each user account
  • • Adaptive iteration counts based on security requirements

2.2 Data Storage Security

Encrypted Storage:

  • • All user data stored in encrypted form on our servers
  • • Database-level encryption for additional protection
  • • Encrypted backups with separate key management
  • • Secure deletion procedures for removed data

Access Controls:

  • • Role-based access control (RBAC) for staff
  • • Principle of least privilege enforcement
  • • Regular access reviews and revocation procedures
  • • Multi-factor authentication required for all administrative access

3. Advanced Security Features

3.1 Duress Mode

Emergency Protection:

  • • Alternative password system for emergency situations
  • • Displays decoy account content when duress password is used
  • • Protects real data from coercion or forced disclosure
  • • Independent encryption keys for duress and normal modes

Implementation:

  • • Completely separate encrypted data sets
  • • No technical indicators revealing duress mode existence
  • • User-configurable decoy content and structure
  • • Secure deletion of duress mode data when deactivated

3.2 Time Bomb Feature

Automatic Data Protection:

  • • User-configurable inactivity periods for automatic data locking
  • • Progressive security escalation (lock, hide, delete)
  • • Irreversible data destruction when fully triggered
  • • Multiple trigger conditions (time, failed attempts, specific events)

Security Considerations:

  • • Cryptographic deletion of encryption keys
  • • Secure overwriting of data storage areas
  • • Audit logging of time bomb activation
  • • Recovery impossible once fully triggered

3.3 Secure Sharing

End-to-End Encrypted Sharing:

  • • Shared data remains encrypted with user-controlled keys
  • • Granular permission controls for shared content
  • • Time-limited and password-protected sharing links
  • • Revocation capabilities for shared access

Collaboration Security:

  • • Group encryption keys for collaborative folders
  • • Secure key distribution for team members
  • • Activity logging for shared folder access
  • • Version control with encrypted change tracking

4. Infrastructure Security

4.1 Network Security

Perimeter Protection:

  • • Multi-layered firewall configurations
  • • DDoS protection and traffic filtering
  • • Intrusion detection and prevention systems (IDS/IPS)
  • • Web Application Firewall (WAF) for application-layer protection

Communication Security:

  • • TLS 1.3 for all client-server communications
  • • Certificate pinning for mobile applications
  • • HSTS (HTTP Strict Transport Security) enforcement
  • • OCSP stapling for certificate validation

4.2 Server Security

System Hardening:

  • • Minimal attack surface through service reduction
  • • Regular security patching and updates
  • • Endpoint detection and response (EDR) systems
  • • Host-based intrusion detection systems (HIDS)

Container Security:

  • • Containerized application deployment
  • • Image scanning for vulnerabilities
  • • Runtime security monitoring
  • • Immutable infrastructure principles

4.3 Data Center Security

Physical Security:

  • • Tier 3+ data center facilities
  • • 24/7 physical security monitoring
  • • Biometric access controls
  • • Environmental monitoring and controls

Infrastructure Resilience:

  • • Geographic distribution of data centers
  • • Redundant power and cooling systems
  • • Regular disaster recovery testing
  • • Backup and recovery procedures

5. Application Security

5.1 Secure Development

Development Practices:

  • • Secure coding standards and guidelines
  • • Regular security code reviews
  • • Static Application Security Testing (SAST)
  • • Dynamic Application Security Testing (DAST)

Vulnerability Management:

  • • Regular penetration testing by third parties
  • • Bug bounty program for security research
  • • Vulnerability scanning and assessment
  • • Timely patching of identified vulnerabilities

5.2 Input Validation

Data Validation:

  • • Comprehensive input validation and sanitization
  • • Protection against injection attacks (SQL, XSS, etc.)
  • • File type and content validation
  • • Rate limiting and abuse prevention

API Security:

  • • OAuth 2.0 and OpenID Connect implementation
  • • API rate limiting and throttling
  • • Request signing and verification
  • • Comprehensive API security testing

6. Operational Security

6.1 Access Management

Administrative Access:

  • • Privileged Access Management (PAM) systems
  • • Just-in-time access provisioning
  • • Session recording and monitoring
  • • Regular access certification and reviews

Employee Security:

  • • Background checks for security-sensitive positions
  • • Security awareness training programs
  • • Insider threat monitoring and prevention
  • • Clear desk and screen policies

6.2 Monitoring and Logging

Security Monitoring:

  • • 24/7 Security Operations Center (SOC)
  • • Security Information and Event Management (SIEM)
  • • User and Entity Behavior Analytics (UEBA)
  • • Threat intelligence integration

Audit Logging:

  • • Comprehensive logging of system and user activities
  • • Tamper-evident log storage
  • • Long-term log retention for forensic analysis
  • • Regular log review and analysis

7. Incident Response

7.1 Response Procedures

Incident Management:

  • • 24/7 incident response capability
  • • Defined escalation procedures and timelines
  • • Forensic analysis and evidence preservation
  • • Communication plans for stakeholders

Response Team:

  • • Dedicated incident response team
  • • Regular training and simulation exercises
  • • External forensic and legal support relationships
  • • Post-incident review and improvement processes

7.2 Zero-Knowledge Considerations

Investigation Limitations:

  • • Limited forensic capabilities due to encrypted data
  • • Focus on system and network-level indicators
  • • Metadata analysis for incident reconstruction
  • • User cooperation required for content-related investigations

Recovery Procedures:

  • • Service restoration without compromising encryption
  • • Verification of data integrity after incidents
  • • Communication with affected users
  • • Lessons learned and security improvements

8. Compliance and Certifications

8.1 Security Standards

Industry Certifications:

  • • SOC 2 Type II compliance
  • • ISO 27001 Information Security Management
  • • Regular third-party security assessments
  • • Compliance with industry best practices

Regulatory Compliance:

  • • GDPR and UK GDPR compliance
  • • California Consumer Privacy Act (CCPA) compliance
  • • Export control compliance for encryption technology
  • • Regional data protection law compliance

8.2 Continuous Improvement

Security Program:

  • • Annual security program reviews
  • • Regular risk assessments and threat modeling
  • • Security metrics and KPI tracking
  • • Industry collaboration and information sharing

Technology Updates:

  • • Regular evaluation of new security technologies
  • • Cryptographic algorithm updates and migration
  • • Security architecture evolution
  • • Emerging threat response capabilities

9. User Security Responsibilities

9.1 Account Security

User Responsibilities:

  • • Strong, unique password selection
  • • Secure storage of master passwords
  • • Regular password updates when appropriate
  • • Protection of account recovery information

Security Best Practices:

  • • Use of password managers
  • • Regular security settings review
  • • Secure device configuration
  • • Awareness of social engineering threats

9.2 Data Protection

Local Security:

  • • Device-level security measures
  • • Secure backup of encryption keys
  • • Protection against device theft or loss
  • • Regular software updates and patches

Sharing Security:

  • • Careful consideration of sharing permissions
  • • Secure communication of sharing credentials
  • • Regular review of shared content and permissions
  • • Prompt revocation of unnecessary access

10. Security Limitations

10.1 Technical Limitations

Inherent Constraints:

  • • Cannot protect against compromised user devices
  • • Limited ability to detect client-side security issues
  • • Dependence on user security practices
  • • Physical security limitations for user devices

Zero-Knowledge Trade-offs:

  • • Reduced ability to provide certain security services
  • • Limited malware detection capabilities
  • • Cannot recover lost passwords or keys
  • • Restricted forensic analysis capabilities

10.2 Threat Model

Protected Against:

  • • Server-side data breaches
  • • Man-in-the-middle attacks
  • • Government surveillance of server data
  • • Insider threats at Genie9

Not Protected Against:

  • • Compromised user devices
  • • Malware on user systems
  • • Physical access to unlocked devices
  • • User security mistakes or negligence

11. Security Updates and Communications

11.1 Security Notifications

User Communications:

  • • Security advisory notifications
  • • Critical security update announcements
  • • Incident notifications when required
  • • Annual security report publication

Update Procedures:

  • • Automatic security updates where possible
  • • User notification of manual update requirements
  • • Staged rollout of security patches
  • • Emergency update procedures for critical issues

11.2 Transparency

Public Reporting:

  • • Annual transparency reports
  • • Security incident disclosure policy
  • • Bug bounty program results
  • • Security research collaboration

Documentation:

  • • Public security white papers
  • • Technical security documentation
  • • Best practices guides for users
  • • Regular security blog posts and updates

12. Reporting Security Issues

12.1 Vulnerability Reporting

Security Research:

  • • Responsible disclosure policy
  • • Bug bounty program for security researchers
  • • Clear reporting procedures and timelines
  • • Recognition and rewards for valid findings

Contact Information:

  • • Email: security@genie9.com
  • • PGP key available for encrypted communications
  • • Response within 24 hours for critical issues
  • • Regular updates on investigation progress

12.2 User Security Concerns

Reporting Channels:

13. Limitation of Liability

13.1 Security Disclaimers

Service Limitations:

  • • Security measures provided on best-effort basis
  • • No guarantee against all possible security threats
  • • Users acknowledge inherent risks of online services
  • • Regular review and update of security measures

Liability Limits:

  • • Liability limited as set forth in Terms of Service
  • • Focus on reasonable security measures
  • • Cooperation with law enforcement where legally required
  • • User responsibility for device and local security

14. Changes to This Document

14.1 Updates

Version Control:

  • • Regular review and update of security practices
  • • User notification of material changes
  • • Version tracking and change documentation
  • • Historical versions available upon request

Improvement Process:

  • • Continuous security program enhancement
  • • Integration of new threats and technologies
  • • User feedback incorporation
  • • Industry best practice adoption

15. Contact Information

For security-related inquiries:

Security Team:

Email: security@genie9.com

PGP Key: [Available on our website]

General Security Questions:

Email: support@genie9.com

Abuse Reports:

Email: abuse@genie9.com

Legal and Compliance:

Email: legal@genie9.com

Mailing Address:

Genie9 LTD

Security Department

3 Shortlands

W68DA, London

United Kingdom

This Security Practices document was last updated on March 18, 2025. We are committed to maintaining and improving our security posture to protect user privacy and data security.

← Back to Nygma Legal Center
AI Built