Learn more about encryption and how Precisely secures your data
What is encryption?
Encryption is the process of securing information or data by converting it into incomprehensible text in order to make it unreadable without a password (also called an “encryption secret”). This is highly relevant when protecting your data from any unauthorized access.
How is my data in Precisely encrypted?
Tenant encryption: military-grade security of your Precisely data
On top of already active at-rest-encryption, organizations can also enable tenant encryption: an additional layer of protection enhancing the security of their data content.
Why tenant encryption?
Some of the key benefits of enabling tenant encryption are
1. Increased compliance with the latest EU regulations on data and privacy
→ GDPR and SCHREMS II
2. Minimized risk of unauthorized access
→ utilizing so-called “tenant encryption” delivers military-grade security for your organization
3. Improved privacy and data control
→ triple-verified access means that no one outside your organization can access your data in any way (for example, Precisely employees or third-party companies such as hosting providers)
How does it work?
For a better understanding of what tenant encryption is, here are some of the useful definitions:
- Private secret = Usually a password or similar. It can be used to encrypt and decrypt organization secrets. Each user in Precisely has a private secret.
- Organization secret = The secret that protects the organization’s data within Precisely. This secret must be unlocked in order to access the contents.
- Object secret = The secret for each document in Precisely
- Organization = Organization in the Precisely Platform.
Tenant encryption works by using a combination of user-specific and organization encryption methods. That is, it includes both organization secret and unique private secret.
Only trusted users (admins) can get the organization secret. Then, they’re able to share the organization secret with other users.
Each user will be able to access the organization data only after both using their private key (an account password) + having organization secret shared with them. Therefore, triple-verification is needed for each user before they’re able to access any organization's data.
Another important element of tenant encryption is that there is an object secret for each document in Precisely. This object secret is derived (or generated) from the organization secret such that if you have the organization secret, you can get the object secret, but if you have the object secret, you can not get the organization secret.
How can I activate tenant encryption?
Admin users are eligible for initiating tenant encryption for their organization in the Security section of the Precisely Platform.
Don’t have the "Initiate" button available? Since this is an additional security feature, you’ll need to get in touch with us before being able to begin the process of activation.
In order to activate tenant encryption, an admin must schedule an encryption session. Other users won’t be able to use the platform while the organization data is being encrypted (it can take up to three hours), but they will get a message 10 minutes prior, giving them enough time to save their work and log out.
💡Pro tip: We recommend scheduling the session outside of working hours and, if possible, additionally informing other users about it so they can plan their work accordingly.
Once the encryption session is complete, all the existing content becomes encrypted. When it comes to the existing users, admins must give them access (=share the organization secret). Admins will be able to view the status of each user's access, and share the secret with them.
In the future, all new content will always be automatically encrypted, so there is no need for any other encryption sessions later on.
When it comes to new users after enabling tenant encryption, admins will be notified by email when new users are added to the organization, whereafter they’ll need to share the organization secret with each new user.
Note: This step cannot be automated for security reasons (for example, similar to when you choose to set up multi-factor authentication for accessing certain systems).
Are there any changes to Precisely’s functionality?
For both technical and security reasons, there are several factors that are important to keep in mind if tenant encryption is enabled in your Precisely organization.
- When inviting a counterparty for a review, they will be able to access the document through a secure link in the email (no PDF document will be attached)
- If using a “Signatory CC” feature, the signed document will be accessible through secure link in the email (no PDF document will be attached)
- Reference values in reminder messages will still be sent directly in the email body. It means that ⚠️ this content is not encrypted⚠️. Therefore, make sure your reminder messages (text and/or reference values) do not contain any confidential information.
- The existing API tokens will no longer be valid. You need to generate new ones after tenant encryption is enabled and reconnect the newly created tokens in your existing integrations.
- Log-in with Google button won’t work on Precisely’s login page, which means users will have to log in with an email and password. See what to do if you don’t know your password.
- If a user resets their password, they will temporarily lose access to all encrypted content until they get access shared with them again.
- If your organization has Single Sign-on (SSO) to Precisely, the SSO connection must be updated after the encryption session. After that, the users will be able log in using SSO.
In need of more information?
If you’re looking for more technical documentation, or if you’d simply like to know more about encryption, tenant encryption, or security in Precisely, make sure to contact us. If your company has an IT department, don’t forget you can also talk to them.
We’re here to keep your data secure!