Cloud Locations and Data Security

Your Backup Intelligence Storage Vault is automatically encrypted end-to-end at the time of your initial backup to one of our three cloud locations which you select at install.

This is displayed in your history log with the following message: "The Storage Vault has been encrypted for the first time. Data is irrecoverable without the encryption key."

For security, you can only reset a lost account password if you had authorised Backup Intelligence to do so from your Account Settings beforehand, so please check this box if you require a password reset as we cannot do so otherwise.  Without your password, your backup data cannot be accessed as it's also part of your encryption key, and you would need to start a new account.

We also by default cannot see the filenames which you have selected to backup, nor see them in any logs, you can allow us to see them by turning on display filenames in the Backup Intelligence client.

A two-factor authentication feature will be available in the web portal and admin console in the future, and we highly recommend that users and administrators enable and make use of this in a future release.

A device quota is also set for each account. This permits only the number of devices that have been paid for that account to sign in, meaning that an extra unauthorised device cannot sign into the Backup Intelligence client to retrieve your backup data without your permission.

Your backup data is only stored at the location you select, and we are compliant with EUDPD and GDPR.

Company And Data Centre Details

CeeJay Software Limited
Logans House
Lochlands Avenue

Our data centres and details are shown at the links below:

The data centres hold the following certifications:

  • ISO 27001,
  • ISO 140001,
  • ISO 9001
  • OHSAS 18001

Encryption Explained In-Depth 

The user's password is used to derive two 192-bit keys (the "L" and "R" keys) via PBKDF2-SHA512, with hard-coded parameters for repeatable output.

  • The L-key is used to log in to the Auth Role server in place of the real password; the server stores only a bcrypt (sha512) hash of this L-key.
  • The R-key never leaves the client and is used to encrypt secret keys stored within the user's profile on the server.
  • This means that one password can be used for all client-side account operations while preventing servers from uncovering client-only secrets.

    When Backup Intelligence sets up a Storage Vault for the first time, it generates two high-entropy random keys (the 256-bit "A" and 128-bit "E" keys). All user data in the Storage Vault is stored encrypted with the A-key using AES-256 in CTR mode, and authenticated using Poly1305 in AEAD (encrypt-then-MAC) mode.

    The permanent A-key is stored inside the Storage Vault, encrypted with the E-key. The E-key is then encrypted with the R-key and stored in the user's profile on the Auth Role server. When a backup is performed, the client uses its password to derive the private R-key, to decrypt the E-key from the vault, to decrypt the A-key for data storage. This extra level of indirection enables some key rotation scenarios, as a new E-key can be generated without needing to re-encrypt all the data in the Storage Vault.

    If the Storage Vault is for a Storage Role bucket, a high-entropy random 128-bit PSK is used to gate access to the bucket. The Storage Role server stores only a bcrypt (sha512) hash of this PSK. The client encrypts this PSK with the R-key and stores it in the user's profile on the Auth Role server.

    Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

    Still need help? Contact Us Contact Us