Security Audit By NCC Group
Monday, Aug 26, 2019
As a user of Padloc, you entrust us with some of your most sensitive and private data and we recognise the immense responsibility that comes with this. Padloc is built from the ground up with a focus on security, privacy and transparency and we employ these principles every step along the way when handling your data. As a security-sensitive service, cryptography and information security is at the very heart of our product. Unfortunately, these principles can be very hard to grasp for non-technical users and even though our source code is open and available publicly, we understand that few people actually have the technical knowledge and expertise to assess the security of an application like Padloc. That is why independent security audits and penetration tests by reputable third parties are an essential part of our security practices.
In Spring 2019, the security experts at NCC Group performed a cryptographic review of the Padloc 3 application. The goal of the audit was to identify any potential design flaws and implementation problems within the core components used throughout the application.
We’re happy to announce that no critical issues were discovered and all relevant problems were addressed immediately and have since been fixed. All findings, as well as the mitigations and fixes performed by our team, can be found in the report prepared by NCC Group:
We’d like to thank the Open Tech Fund for generously funding this audit as well as NCC Group for their thorough and professional work!
As the custodians of some of your most sensitive and private data, we are committed to the highest security standards and will continue to work with independent security experts to make sure Padloc lives up the high expectations and trust our users place in us. If you’d like to know more about Padlocs security design and the underlying cryptographic principles, you can find detailed explanations and specifications in our security whitepaper. And of course, if you’d like to dig even deeper, the entire source code is publicly available on Github.