Technology Details

This is a very brief overview of the technologies in place that we utilise to protect 'our' users and 'our' employes

We have also provided some background information regarding the legal framework's we have established and operate under across our company and our localised legal requirements, should you have any queries please do not hesitate to contact us.

Last updated Nov 08 2015.

Have any interesting ideas?

We are always on the lookout for interesting ways to make Invacio products as secure and privacy focused as possible, if you have some interesting ideas please do get in touch...

OpenPGP.js

OpenPGP.js is an open source PGP library for JavaScript.

This project aims to provide an Open Source OpenPGP library in JavaScript so it can be used on virtually every device. Instead of other implementations that are aimed at using native code, OpenPGP.js is meant to bypass this requirement (i.e. people will not have to install gpg on their machines in order to use the library). The idea is to implement all the needed OpenPGP functionality in a JavaScript library that can be reused in other projects that provide browser extensions or server applications. It should allow you to sign, encrypt, decrypt, and verify any kind of text - in particular e-mails - as well as managing keys.

You can find out more on their wiki and here.


Zero-Knowledge Architecture

Our zero-knowledge policy means that we never store our users' private keys or unencrypted email on our servers including in cache on signup and login, this is all client side., It also means that we minimise metadata data as much as possible, and look at further ways to hiding your data, currently we have in place "No logs", no "Identity Information leaked in metadata", and "no analytics" on top of the exiting encryption of your communications against a account that we can neither see nor narrow down on if we wanted too... just 1's and 0's..


Multiple-Factor Authentication

On our current release, at the very least, to be able to access your Invmail account, you need to input your account password, your private key and your private key passphrase (what is a PGP passphrase?).

Additionally, our premium users will be able to choose can choose additional/different authentication options, like Swekey or the more popular YubiKey, naturally mobile verification. will also be possible.


Open Source

Currently our application code for Invmail basic shell is already on Github in the form of the LB package, however we are making core changes all the time and further facilitating the product, thus once we are fully operational with a stable complete build including our Voice, Video Calling system and our Messenger system that are both fully active on our main build at Invacio, but once integrated in to Invmail, we will look at open sourcing these additions to the platform, naturally any upgrades we develop in to Invmail we shall also periodically release to our Git Hub account.

We feel strongly about the Open Source Project, and we look forward to building on it.


The Key-Exchange

Key management up-until now has been one of the major weak points of PGP email, and Invmail is very keen on solving this problem within itself and for the community.

Along SMTP and a regular key server we'll also support two new secure protocols, intermail and DarkMail.


Fighting Threats

Generally speaking the most important security pitfalls aren't technical, are generally down to user error or key mismanagement. This means genetically speaking we are working to find a solution overall to the PGP e-mail UX problem that has so far eluded people well over twenty years [link].

We currently utilise OpenPGP.js to encrypt our emails on the client-side, then use the user's public key to un-encrypt them server-side when they arrive encrypted, so the data is never stored unencrypted on our servers.

To-date our basic threat scenario (that could jeopardise data on an account-by-account basis or server basis) is that a third-party has obtained control over our servers, or over a user's account (private key). In the server case, even if they manage to decrypt our server's partitions (bare in mind we spread all of our system over multiple servers and locations), then our database, the third-party still will not have gained access to any of the stored emails on the server, this is due to the fact that we never store unencrypted emails on our servers. In the client-account case, for a third-party to be able to use or access the user's data they'd have to crack the private key's encryption, which is virtually impossible for hard passwords (long, non-dictionary we suggest 1Password or appropriate for creating and storing passwords - but please make sure you store them either in a secure the storage data in a secure local place or even your Invacio Cloud Account).

We have no concerns over MitM attacks as we have circumvented these by using SSL everywhere across the application, this also includes between our multiple servers.


Servers

Due to a number of reasons, we are an established company in a number of countries, each part of the jigsaw that Invacio Holdings sits under, we recently moved away from the UK our legal side for instance due to their new Encryption Laws On our development front we are based in India and Indonesia where we have front and back end developers, at our very own private offices, We are Established in BVI for the privacy protection, and currently we have just established a office and our new HQ in Hong Kong, this is where our day to day operations are run from, on the server side, we have the application frame work on our own servers in Holland, and we have our Data Servers (where your data is stored) in Switzerland at two private manned offices, We only have physical access to the servers themselves, we also have a number of servers in Madrid, Spain mainly utilised for testing grounds, and enhancements alpha testing.

Our servers are also on a a twelve-hour countdown where-by failure to input the correct code within twelve-hours, two-times a day, results in disk deletion, then frying.


Legal framework

As touched on in "Servers" we are a multi-national company based in BVI, HK, Switzerland, India, Indonesia, Holland, Spain and are subject to a number of laws, however Invmail has been ring-fenced for Swiss deployment and registration like our main system thus we follow Swiss law and Swiss Privacy Laws, we also are protected by the various laws in the Holland, Spain, BVI, HK in regards to localised infrastructure or office access.

Invmail like any company operating in the Western World is required by various local or regional laws to request information from paying users such as their "name" and "billing address". However please note, If a user is paying for an account with bit-coin, Stripe or by local-tender they will need to provide "information", however we're not legally compelled to verify the information supplied, in such cases it has been known that Micky Mouse has bought a years access to our Private Server offering's...

Free users are only required to provide a "name". Please see our Terms and Conditions and Privacy Policy for more detail.


NSA and other acronym organisations-proof

This is not a snake-oil sale, i've read on the internet numerous times about such shady companies offering the earth, i just wish to make it clear, i state categorically that No email provider is 'NSA-proof or other spy agency proof' so if your the budding next Edward Snowdon, my advice is to get in touch with him to advise you directly, for when an agency like the NSA or other put all their effort to one organisation such as Invmail then ultimately the accounts you create will be as secure as the password you created for they will have super computers crunching numbers by the thousands... - Ex-NSA System Specialist who advised on our project named Kenneth Hilliard.

While a Zero-Knowledge system has its benefits, please for your own sake do not use our service for day-to-day if you believe that you are an NSA, CIA, BND, MI".", or other target, or could become one in the future.

Invmail is suitable for combatting dragnet or other alternative like surveillance programs, also corporate profiling and hackers.

Our security is better than Gmail, hotmail, ymail and so on, however you should not put your life in the hands of any email provider.

We encourage members of the media to get in touch and learn more about encryption and technology stack set up.


Premium features

Invacio has a number of premium packages however as we are still alpha/beta testing them we have not openly packaged them up for signup, However an example of some of the features that will be released in to the Premium Market.

Premium Standard : Additional Storage, 2 Factor Authentication, Secure Contacts, Diary, Calendar, Secure Voice/Video Calling, Secure Messaging on a per month/annual basis.

Premium Vantage : Additional Storage, 2 Factor Authentication, Secure Contacts, Diary, Calendar, Secure Voice/Video Calling, Secure Messaging, Alias, Own Domain, on a per month/annual basis.

Premium Vantage : Additional Storage, 2 Factor Authentication, Secure Contacts, Diary, Calendar, Secure Voice/Video Calling, Secure Messaging, Alias, Own Domain, Cloud Storage, on a per month/annual basis.

Corporate Cloud Standard : Our Server Set Up, Disk Storage set by purchaser, 2 Factor Authentication inc. additional Authentication mentioned above, Secure Contacts, Diary, Calendar, Secure Voice/Video Calling, Secure Messaging, Alias, Own Domain, Own Branding, on a per month/annual basis.

Corporate Cloud Vantage : Our Server Set Up, Disk Storage set by purchaser, 2 Factor Authentication inc. additional Authentication mentioned above, Secure Contacts, Diary, Calendar, Secure Voice/Video Calling, Secure Messaging, Alias, Own Domain, Own Branding, Cloud Storage, on a per month/annual basis.

Corporate Own Server : Client's Server (all of the above but localised install and managed service for the client organisation, billed on a yearly basis.

Please get in touch if you are interested in Invmail for your business.


Mobile and Desktop Applications

Although in the pipeline both Native apps for iOS, Android, 'other' in the mobile range, and Mac, Windows and Linux in the desktop range, these over-all are not a high priority until we have all the systems integrated and beta run, as soon as we achieve 100,000 users on Invmail though we will immediately begin re-directing our resources to these applications, also please note the application is mobile/tablet rendered, however there are a few cosmetic issues, we ask as this is in 'Beta" that our users, please inform us of them so that we can resolve, including the device you are using so that we can make certain that we render professionally for each device size.


Account Creation

Invmail is currently in a stage of 'Open Beta', this means anyone can signup within seconds at our application signup page here, if you experience any issues please contact us asap, please also note due to the nature of the system, if you loose your invite code, you will need to use an alternative email address to receive a new one for the account creation is linked to your verification code that is emailed out, also note we have since closed access to this particular system to add an additional layer of privacy so can not aid if you delete/loose the invite code, Also note if you forget/loose your password or key later on we have no way of recovering your account for you as this is part of the application framework.

Please Note : If you change your password or your key, this will nullify access to your existing emails prior to the change, this also includes, calendar, contacts messages and voice/vid history and contacts, this is a security precaution to enable you the ability to quickly nullify your access and encrypt all data on a then 'lost' key, leaving no one with physical decryption capabilities, please note though if you download your key before completing this you can later re-add it to read the data, but make sure you take a copy of your most recent key before uploading the old on for that data will naturally be nullified in the process, also note localised saved backups is available from the email's etc themselves.


Simplistic secure communications


Invacio Holdings HK

2512 Langham Place Office Tower
8 Argyle Steet,Mongkok
Hong Kong
HK



For support inquiries, please visit
Support Centre



For security related
security@invacio.com