Security by design
At Softcrow, security is not an afterthought but the foundation on which everything is built. It starts with the question of where and under which law we store, and runs all the way into the technology: zero-knowledge, quantum-safe delivery and the tooling you use to deliver.
Sovereign storage, outside the CLOUD and USA PATRIOT Act
Softcrow’s storage infrastructure is hosted entirely within the EU. The CLOUD Act and the USA PATRIOT Act do not apply to it.
For escrow, this matters. A deposit contains the supplier’s intellectual property. Sovereign storage, free from the CLOUD and USA PATRIOT Act, means that the encrypted deposit cannot be requisitioned through a foreign legal system.
SecureStorage: the technical foundation
Beneath all of Softcrow’s services lies SecureStorage: our own zero-knowledge storage infrastructure. SecureStorage is not a separate service but the technical foundation on which Software Escrow, SaaS Escrow and CloudSecure® run.
The characteristics of SecureStorage:
- Client-side encryption: the supplier encrypts with AES-256, before delivery. Softcrow receives only encrypted files
- End-to-end encrypted (E2EE): Softcrow holds no keys, the data is mathematically unreadable to Softcrow and to the hosting parties
- Append-only: delivery is always possible, but delivered data cannot be modified or deleted
- Weekly SHA256 integrity check of every deposit
- ZFS file system with block-level checksums and periodic scrubbing: silent data corruption (bit rot) is detected and, with redundancy, automatically repaired
- ISO 27001 certified data centres within the EU
- Daily back-up in two independent ISO 27001 certified data centres within the EU
Zero-knowledge storage
Softcrow is a zero-knowledge escrow provider: the supplier encrypts client-side and Softcrow never has access to the key or the contents.
Softcrow stores only encrypted deposits. The supplier encrypts the deposit themselves, before delivery. The encryption key is never shared with Softcrow, but only with the beneficiary.
The deposit is therefore end-to-end encrypted (E2EE): from supplier to beneficiary, without any intermediate party being able to view the contents. “Zero-knowledge” refers in this context to Softcrow’s position as custodian: no key, no access. It is an architectural principle, not to be confused with a zero-knowledge proof (ZKP) from cryptography. Softcrow provides no mathematical proof; access is simply ruled out because the encryption key never reaches us.
This means that Softcrow technically cannot access the contents of a deposit, even if that were desired. No access, no insight, no risk of conflicting interests. Softcrow’s neutrality as a Trusted Third Party is therefore not just a promise, but anchored in the architecture.
Quantum-safe delivery
With the rise of quantum computers, traditional encryption methods are becoming increasingly vulnerable. The Softcrow CLI is prepared for this.
The CLI uses only AES-256 symmetric encryption, driven by 256-bit hardware-level entropy. This has two important consequences:
- Resistant to Grover’s algorithm: even after quantum halving, AES-256 still offers 128-bit effective security, which is computationally uncrackable
- Immune to Shor’s algorithm: because the CLI uses only symmetric encryption, there are no public or private key pairs that Shor’s algorithm could break
Combined with the zero-knowledge architecture, in which Softcrow never sees, transmits or stores the encryption key, a deposit is cryptographically locked, fully private and mathematically uncrackable, regardless of how technology evolves.
CLI and your own tooling
At Softcrow you are free to choose the tooling for compression and encryption. If you deliver via the web uploader, you compress and encrypt the deposit with the tooling of your choice. The web uploader accepts any encrypted file, regardless of how it was created. Softcrow recommends AES256-ZIP. That is quantum-safe, provided you use a sufficiently strong key. Beyond that, Softcrow has no stake in the method or software you choose. Do record in the deposit specification which compression and encryption method you applied. That way the beneficiary can open the deposit on release.
If you want to make things easier for yourself, Softcrow offers its own Command Line Client (CLI). It is available to all our clients. In it, compression, encryption and delivery are integrated in a quantum-safe way. You can also fully automate the CLI, for example from a pipeline. That way you choose security, convenience and compatibility on release in one go. That holds even if the release only takes place decades from now.
Open-source platform
The Softcrow platform is built entirely on open-source software, running on Debian Linux. Open-source means that the software we use is publicly auditable: no hidden backdoors, no vendor lock-in, no closed components you have to take on trust.
This is a deliberate choice that aligns with the same principle as zero-knowledge: security you can verify, not just promise.
No vendor lock-in on release
Deposits are encrypted and compressed in the AES256-ZIP format. This is a deliberate choice with three advantages at once.
- Quantum-safe: AES256-ZIP with a good symmetric key offers the same quantum resistance as the rest of the platform
- No vendor lock-in: the Softcrow CLI is not required to release the deposit. For a standard deposit, a common archive program that supports AES256-ZIP is enough: 7-Zip (Windows, Linux and macOS) or WinZip (Windows). For incremental deposits, the open-source program Restic is required for extraction
- Future-proof: for agreements that may run for decades, independence from proprietary software is not a luxury but a requirement. Here, compatibility is a security principle
Want to know more about how we have set up security at the technical level?