Fully blown products, frameworks, libraries.
Data security, any form factor you want

Until otherwise agreed, our products come as a “boxed” solution and are integrated with your apps and infrastructures.

Our software doesn't need any connections to our servers, doesn't have "admin" or "backup" keys, doesn't steal or send data “back home”.

Our software doesn’t require internet access to operate, it has no “admin panel”, no debug routes, no built-in analytics or tracking, and no “insecure” mode.

You fully control it.

Our products use strong modern audited cryptography under the hood: AES-GCM-256, AES-CTR-256, ECC + ECDSA, RSA + PSS + PKCS#7, ECDH, HPKE-like scheme, SMP-like scheme, PBKDF2, HMAC-SHA-256, ZRTP-KDF, etc.

Thanks to the modular architecture, it is possible to build custom flavors of Themis and Acra using crypto-primitives of your choice, like FIPS 140-2 or GOST-compatible.

Once data is encrypted, only a party that has access to decryption keys, can decrypt it. We don’t have any “magical” spare keys. Store keys securely, or talk to us to use SSS-like schemes.

Our software engineers are trained about secure architecture and secure coding, and write code based on platform-specific security guidelines, NIST publications, OWASP guides (SAMM, ASVS, MASVS, Cheatsheets) and security industry best practices.

Each change in our products is being reviewed and approved by our internal team of software engineers and security engineers. For every change in the cryptographic layer, we perform internal audits by cryptographers who don’t work on our products, or external audits with world renowned cryptographic engineers. We work with reputable 3rd party security engineers to review security of our product on major releases.

Our products heavily use automated security testing tools: static code analysers, fuzzing tools, memory analysers, unit tests (for each platform), end-to-end tests (to test the whole use cases), platform compatibility tests (to find compatibility issues between different platforms), version compatibility tests. For Themis, the estimated LoC of tests are 10x than LoC of the core code.

Tests run on every PR, every night and before releases.

The statistical test developed by NIST is used to verify the quality of pseudo-random number generators in the donor libraries. For symmetric encryption, we also run a selected set of NIST-recommended tests for AES-256. Such test sets contain both the initialisation vectors and the expected output.

We use dependency management tools to monitor 3rd party libraries used in our products, we triage notifications and update dependencies on an ongoing basis.

In the event of finding a critical bug in products or their dependencies, patch is created and all customers are notified via their contact emails or by an agreed support channel. For open source users we post a GitHub issue and publish a new update, they can receive notification via GitHub according to their settings.