Compliance Center

Built on zero-knowledge cryptographic principles from the ground up. Our products use mathematically provable encryption and layered defenses to give you complete data sovereignty and privacy.

Zero-Knowledge by Design

Our architecture prevents data access by design. Even if our systems were fully compromised, we cannot mathematically decrypt your data. Zero-knowledge encryption is not a feature add-on. It is the foundation of our security model, validated through formal cryptographic proofs and independent security audits.

No Data Access

We cannot decrypt your data

You Hold Keys

Only you control encryption keys

Privacy First

Your data is truly private

No Backdoors

No government access required

Why Zero-Knowledge Matters

Unlike conventional cloud services, we never hold cryptographic custody of your data. Our zero-knowledge architecture removes the attack surface entirely. Compliance becomes a mathematical guarantee, not just a policy. We cannot decrypt data we never have keys for.

Your encrypted data sits on our infrastructure. Your cryptographic keys stay under your control alone. The result is data sovereignty enforced in code, not just in policy.

Encryption Architecture

Our layered key derivation architecture uses cryptographic depth to enforce complete tenant isolation and per-user data encryption. Each key chain is mathematically independent.

Cryptographic Stack: AES-256-GCM (AEAD) with PBKDF2-SHA256 key derivation (600K+ iterations) • CSPRNG-generated unique nonces per operation • Authenticated encryption with built-in integrity verification

Your DataFiles • Databases • Configs • Secrets • API KeysYour raw data encrypted across multiple layersPer-User KeysUnique per user accountIndividual data protectionUnique encryption keys for each userPer-User KeysUnique per user accountIndividual data protectionUnique encryption keys for each userPer-Tenant KeysWraps all user keysTenant-level isolationWraps all user keys - ensures tenant isolationPer-Tenant KeysWraps all user keysTenant-level isolationWraps all user keys - ensures tenant isolationExternal Wrapping Key (Your Control)You manage this key via SDK/CLI/APIRotate • Revoke • Restrict • AuditMaster key YOU control - wraps all tenant keys, grants access to encrypted dataSDK ExamplesPython SDKimport takelankey = takelan.load_key()• Node.js • Go • RustManage keys via SDKs, CLI, or REST API

Technical Specifications

Cryptographic Algorithms
  • Encryption: AES-256 in GCM mode (AEAD)
  • Key Derivation: PBKDF2-SHA256 with 600,000+ iterations
  • Random Generation: CSPRNG (SecureRandom)
  • Integrity: HMAC-SHA256 verification on all ciphertexts
Key Hierarchy & Storage
  • DEK (Data Encryption Keys): 256-bit per user
  • KEK (Key Encryption Keys): 256-bit per tenant
  • EWK (External Wrapping Key): 256-bit, client-managed
  • IV/Nonce: Unique 96-bit per encryption operation
Security Properties
  • IND-CCA2 Security: AES-GCM provides semantic security
  • Forward Secrecy: Key compromise doesn't affect past data
  • Authentication: GCM provides built-in authentication tag
  • Initialization: Cryptographically random per-operation IVs
Operational Standards
  • Key Rotation: Supported without data re-encryption
  • Compliance: NIST SP 800-38D standards adherence
  • Memory Protection: Secure zeroization of sensitive data
  • Transport: TLS 1.3+ for all key operations
Per-User Encryption

Each user's data encrypted with unique AES-256-GCM keys derived from their credentials

DEK isolation ensures complete user data separation

Tenant Isolation

KEK wrapping prevents cross-tenant key access even with database breach

Cryptographic separation at infrastructure level

You Hold Keys

Master wrapping key (EWK) managed exclusively by you via SDK/API

256-bit entropy minimum, client-side only

Full Control

Rotate, revoke, restrict access windows, and audit all key operations

Real-time certificate and key lifecycle management

Schedule-Based Controls

Time-bound key usage policies with UTC-synchronized enforcement across infrastructure

Restrict operations to maintenance windows • Enforce compliance policies

Complete Audit Logging

Immutable logs of every key operation with timestamps, source IPs, and user context

Tamper-evident hashing • Remote append-only storage • 7+ year retention

Data Export & Transparency

Full encrypted data export in open formats with decryption keys under your control

No proprietary formats • Open-source client SDKs • Independent security audits

No Vendor Locking

Portable encrypted backups with key escrow options and migration assistance included

Cryptographic portability • Multi-platform support • 60-day transition SLA

Threat Model & Mitigations

Our architecture is designed to withstand and mitigate multiple attack vectors through cryptographic and operational controls

Database Breach

Even if our entire database is compromised, encrypted data remains secure.

Mitigation: Multi-layered key wrapping ensures an attacker would need the EWK you control to access any user data, plus every tenant's master KEK separately.

Insider Access

Malicious or compromised employees cannot decrypt customer data.

Mitigation: Keys are never decrypted in unencrypted logs. Audit logging tracks all access attempts with tamper-evident storage and monitoring.

Legal/Regulatory Compulsion

Law enforcement cannot force us to hand over decrypted customer data.

Mitigation: We literally cannot decrypt customer data, your EWK is never stored on our systems. This architectural guarantee protects both of us legally.

Cryptographic Compromise

Future discovery of cryptographic weaknesses has limited scope.

Mitigation: We use NIST-approved algorithms with 256-bit keys. Post-quantum cryptography migration path is planned and will be offered with forward compatibility.

Cross-Tenant Contamination

One tenant's data cannot be accessed even with another tenant's key.

Mitigation: Each tenant's KEK (Key Encryption Key) is mathematically independent from all others. Data isolation is enforced at both the cryptographic and database levels.

Replay Attacks

Replaying encrypted operations or audit logs cannot grant unauthorized access.

Mitigation: Unique IVs, sequence numbers, and timestamps with server-side deduplication prevent replay attacks on both data and key operations.

Estimated Time to Break Our Encryption

Cryptographic analysis of our security parameters and real-world attack scenarios

Using cryptographic analysis and computational complexity theory, we show why breaking our layered encryption is not practical within any meaningful timeframe.

Interactive Encryption Break Time Calculator

Adjust parameters to see how different cryptographic configurations affect the time needed to break encryption. We emphasize that TakeLAN uses industry-leading standards with maximum security margins.

Encryption Parameters

TakeLAN uses AES-256-GCM (recommended standard)

128 bits (AES-128)256 bits (AES-256)
Advanced Parameters
0% (Ideal - Full strength)100% (Worst - 50% reduction)

Reduces break time by up to 50%. TakeLAN uses cryptographically random IVs far below collision threshold (effectively 0%).

Move slider right to see impact of IV collisions on security

Security Assessment:

Maximum security maintained with current industry standards.

Estimated Time to Break

~10^51 years

2^256 operations (IV Collision Risk: 0%)

Assuming Earth's total computational power combined in a single attack

Key Insight: TakeLAN uses industry-standard cryptographic primitives and layered key hierarchies. The encryption is virtually unbreakable. Even in the worst theoretical attack, breaking it would require more computing power than all systems on Earth combined, running for billions of years.

AES-256-GCM Brute Force

Estimated Time:

~2^128 operations

≈ 5.4 × 10^36 years

Assumes all computational power on Earth combined attempting exhaustive key search.

Reality: Brute force is cryptographically infeasible. At 1 billion keys/nanosecond with Earth's entire computational capacity, breaking a single AES-256 key would take longer than the age of the universe.

Quantum Computing Threat

Grover's Algorithm (Worst Case):

~2^128 → 2^64 operations

Still ~18.4 × 10^18 years

Even with fault-tolerant quantum computers (millions of logical qubits), Grover's algorithm only yields a square-root speedup against AES-256.

Status: Quantum threat is theoretical and remains 20+ years away, if feasible at all at this scale.

PBKDF2-SHA256 Password Attack

600,000+ Iterations (Current Standard):

Per guess: 600,000 SHA256 operations

~1 millisecond per guess on modern hardware

Even with weak user passwords (12 characters), the computational cost makes dictionary attacks impractical at scale.

  • • 95^12 possible passwords ≈ 475 quadrillion combinations
  • • At 1 guess/ms: ~15 million years
  • • Salt prevents rainbow tables entirely

IV Collision Probability

96-bit Random IV (Birthday Bound):

2^48 encryptions before collision

~281 trillion encryptions

At 1 million encryptions per second (massive scale), collision occurs after ~8,900 years.

Mitigation: We use cryptographically random IVs with per-operation uniqueness guarantees, far below the collision threshold under real-world workloads.

Breaking Our Full Multi-Layer Architecture

An attacker would need to break multiple independent layers simultaneously:

Layer 1: AES-256-GCM (Data)

Time: ~10^36 years

Layer 2: AES-256-GCM (DEK)

Time: ~10^36 years

Layer 3: AES-256-GCM (KEK)

Time: ~10^36 years

Layer 4: EWK (Your Control)

Time: ~10^36 years

Combined Attack: Breaking all four layers independently would require computationally infeasible resources. Our architecture ensures that compromising one layer does not expose the others. An attacker would need all four keys to decrypt any data.

Realistic Attack Vectors

  • Side-Channel Attacks:

    Timing analysis, power analysis, cache attacks, mitigated through constant-time implementations and hardware-backed enclaves.

  • Implementation Bugs:

    More likely than algorithmic breaks. Mitigated by code review, fuzzing, and third-party audits.

  • Weak Key Generation:

    Insufficient entropy in key derivation, we use CSPRNG with 600k+ PBKDF2 iterations.

  • Social Engineering:

    Compromising user credentials directly, mitigated by MFA and secure credential handling.

Why Our Architecture Wins

  • Defense in Depth:

    Multiple independent encryption layers mean one compromise doesn't expose data.

  • You Control the Master Key:

    Even if we're breached, without your EWK, attackers cannot decrypt anything.

  • Mathematical Guarantees:

    Not operational security theater, cryptographic proofs ensure data privacy.

  • Auditability:

    All key operations are logged and verifiable; breach detection is immediate.

Bottom Line

Breaking TakeLAN's layered encryption is practically impossible with today's and tomorrow's technology. We use NIST-approved cryptographic primitives and layered key protection. This lets us prove our security with math, not just promises. Our zero-knowledge design eliminates the need for trust. You verify cryptographic proofs, not security claims.

Still Pursuing Industry Standards

Our zero-knowledge architecture already protects your privacy by design. We are also actively pursuing industry-leading certifications to provide additional assurance and transparency.

SOC 2 Type II

We are actively working toward SOC 2 Type II certification. It covers security, availability, processing integrity, confidentiality, and privacy controls. This certification verifies our internal controls over a defined audit period.

ISO 27001

We are pursuing ISO 27001 certification to establish our Information Security Management System (ISMS). This international standard verifies that we manage sensitive information systematically and handle risk appropriately.

Privacy by Architecture

We believe compliance shouldn't be added on top of insecure systems. Privacy should be the foundation of every product we build. We implement zero-knowledge encryption at the architectural level. That means privacy isn't just a feature. It's a guarantee.

Pursuing SOC 2 and ISO certifications shows our commitment to transparency and operational excellence. These standards build on the foundational privacy our zero-knowledge architecture already provides.

Suggestions on how we can make our products even more private? Let us know!

Need More Details?

Have questions about our compliance roadmap or zero-knowledge architecture? We're happy to discuss how our approach aligns with your security requirements.

Contact Our Security Team

Analytics & Cookies

We use self-hosted Matomo analytics. By default we measure anonymously with no cookies. Enable cookies to help us improve your experience. You can change this anytime.