Security
Can PratikYedek read my data?
No. End-to-end (zero-knowledge) encryption means:
- Your files are encrypted on your device with AES-256-GCM.
- The encryption key never leaves your device.
- The PratikYedek server only sees an opaque encrypted binary blob.
- Server administrators (including the founder) cannot read your content.
The encryption key is derived from your master password using Argon2id (m=64 MiB, t=3, p=4) in the browser/desktop client. The derivation runs entirely on your device — only the resulting sealed recovery key is uploaded for restore on a new device.
How are my passwords stored?
| Credential | Storage |
|---|---|
| Account password | bcrypt hash (no plaintext; cost factor 12) |
| 2FA TOTP secret | encrypted-at-rest |
| SMS OTP code | bcrypt hash (5-minute TTL) |
| Encryption-key passphrase | on the device only — never transmitted to the server |
Brute-force protection
- Login: 5 failed attempts → 10-minute soft lockout.
- SMS OTP: 1 request per minute, max 5 per hour per phone number.
- API: per-endpoint rate limits with progressive back-off.
- Magic-link tokens: single-use, 15-minute expiry.
Is 2FA recommended?
Yes, strongly. 2FA is mandatory in the CPA and Enterprise tiers. In the individual tier it is optional but strongly recommended.
Supported 2FA methods:
- TOTP — Google Authenticator, Authy, 1Password, Bitwarden, etc.
- SMS OTP — as a backup method when TOTP is unavailable.
WebAuthn / FIDO2 hardware key support is on the Phase 5 roadmap.
Can I lose my backups?
We use multiple layers of protection:
- WAL + PITR (Postgres write-ahead log + point-in-time recovery)
- 5-minute RPO (maximum loss is 5 minutes of recent history)
- 14-day automated restore drill
- Object storage chunk replication
- 3 separate disks (LUKS dm-crypt)
- Geographic replication across Turkish cities (planned post-Phase 4)
Exception: If you lose your encryption-key passphrase and your recovery key, PratikYedek cannot recover your data — by design (zero-knowledge). Always store the recovery key offline (printed PDF generated at setup) or in a password manager.
How is data encrypted in transit?
- TLS 1.2+ enforced on all network calls.
- HSTS (
max-age=63072000) prevents protocol downgrade attacks. - Certificate pinning is not used in the mobile app intentionally — it would prevent users on corporate MITM proxies (common in CPA offices) from connecting; we rely on HSTS preload + certificate transparency instead.
What about device theft?
- Mobile + desktop apps support biometric unlock (Android BiometricPrompt; Windows Hello / Touch ID planned).
- Biometric templates never leave the device; only a boolean "biometric authentication succeeded" signal is consumed by the app.
- Encryption keys are stored in the OS keystore (Android Keystore / Windows DPAPI / macOS Keychain) so they cannot be extracted by a thief who has the device but not the biometric / OS password.
- You can remotely sign out a stolen device from Settings → Security → Devices.
Penetration tests and audits
- An independent third-party penetration test is scheduled before Phase 4 launch (KVKK § 12 requirement).
- A public bug bounty programme is planned for Sprint 7+.
- Audit log retention: 7 years (KVKK § 12).
Reporting a security issue
Please email security@pratikyedek.com (PGP key on the public website). Please do not open public GitHub issues for security concerns. Coordinated disclosure response target: 72 hours for first reply, 90 days for fix or coordinated public release.