Secure your data
in a way that fits you
All of our security products are open-core. It means that all cryptographic code is open source, but many enterprise conveniences are licenced under a commercial licence.
Our products take many forms, but the entire ecosystem addresses the same issue: convenient, robust, and modern data protection.
A CROSS PLATFORM CRYPTO LIBRARY
Themis provides easy-to-use and hard-to-misuse encryption API for securing data at rest and in transit, and is available across multiple platforms.
Works best with:
Multi-platform apps, mobile apps, document exchange, chats.
Finance, Healthcare and wellness, B2C, SaaS.
90% typical use cases related to secure data storage and transmission.
Platforms: Mobile, Web, Electron, WASM, IoT, On prem, Cloud
Licensing: Open-source Apache 2.0
Form-factors: In-app SDK
A DATABASE SECURITY SUITE
Acra provides application level encryption, masking, tokenisation, access control, database leakage prevention, and intrusion detection for modern data-processing apps.
Works best with:
SQL/NoSQL databases, API services, web apps, telemetry systems.
Finance, Critical infrastructure, Healthcare, B2B, SaaS.
Encrypted data storage and processing with searchable encryption.
Platforms: Database, Cloud, On prem, IoT, Web
Licensing: Open-source Apache 2.0, Proprietary
Form-factors: API service, SQL proxy, DAO, In-app SDK
END-TO-END SECURE DATA STORAGE
Hermes is end-to-end secure data storage that provides processing and sharing framework with zero trust to storage/exchange infrastructure.
Works best with:
Distributed apps, EHR systems, document exchange.
Finance and banking, Critical infrastructure, Healthcare, B2B, Blockchain.
End-to-end encrypted data collaboration and cryptographic access control.
Platforms: Web, On prem, Cloud
Licensing: Open-source AGPL 3.0
Form-factors: In-app SDK, DAO
Data management application platform built around Hermes, which provides end-to-end encrypted storage and sharing layer on top of traditional server infrastructure. Provides out-of-the-box tools to integrate Hermes with modern databases and distributed applications.
Works best with:
Large scale infrastructures, distributed apps, document exchange.
Finance and banking, Critical infrastructure, Healthcare, B2B.
End-to-end encrypted data collaboration within the whole infrastructure.
Platforms: Web, On prem, Cloud
Form-factors: API service, DAO
THERE’S SOMETHING WE’RE PREPARING
Product security and stability
Your data is only yours
Until otherwise agreed, our products come as a “boxed” solution and are integrated with your apps and infrastructures.
Our software doesn't need any connections to our servers, doesn't have "admin" or "backup" keys, doesn't steal or send data “back home”.
Our products use strong modern audited cryptography under the hood: AES-GCM-256, AES-CTR-256, ECC + ECDSA, RSA + PSS + PKCS#7, ECDH, HPKE-like scheme, SMP-like scheme, PBKDF2, HMAC-SHA-256, ZRTP-KDF, etc.
Thanks to the modular architecture, it is possible to build custom flavors of Themis and Acra using crypto-primitives of your choice, like FIPS 140-2 or GOST-compatible.
Our software engineers are trained about secure architecture and secure coding, and write code based on platform-specific security guidelines, NIST publications, OWASP guides (SAMM, ASVS, MASVS, Cheatsheets) and security industry best practices.
Automated security testing
Our products heavily use automated security testing tools: static code analysers, fuzzing tools, memory analysers, unit tests (for each platform), end-to-end tests (to test the whole use cases), platform compatibility tests (to find compatibility issues between different platforms), version compatibility tests. For Themis, the estimated LoC of tests are 10x than LoC of the core code.
Tests run on every PR, every night and before releases.
We use dependency management tools to monitor 3rd party libraries used in our products, we triage notifications and update dependencies on an ongoing basis.
No analytics, no tracking
Our software doesn’t require internet access to operate, it has no “admin panel”, no debug routes, no built-in analytics or tracking, and no “insecure” mode.
You fully control it.
No spare keys
Once data is encrypted, only a party that has access to decryption keys, can decrypt it. We don’t have any “magical” spare keys. Store keys securely, or talk to us to use SSS-like schemes.
3rd party reviews
Each change in our products is being reviewed and approved by our internal team of software engineers and security engineers. For every change in the cryptographic layer, we perform internal audits by cryptographers who don’t work on our products, or external audits with world renowned cryptographic engineers. We work with reputable 3rd party security engineers to review security of our product on major releases.
Automated cryptography testing
The statistical test developed by NIST is used to verify the quality of pseudo-random number generators in the donor libraries. For symmetric encryption, we also run a selected set of NIST-recommended tests for AES-256. Such test sets contain both the initialisation vectors and the expected output.
Incident notification policy
In the event of finding a critical bug in products or their dependencies, patch is created and all customers are notified via their contact emails or by an agreed support channel. For open source users we post a GitHub issue and publish a new update, they can receive notification via GitHub according to their settings.
& latest releases
We follow a slow update cycle with urgent releases dealing with compatibility issues.
- Themis is a cryptographic library, perfect for solving data security use cases in the most applications.
- Themis supports 14 languages and platforms and provides 100% compatible API across them.
- Themis is recommended by OWASP as a cryptographic library for mobile apps.
- Themis hides cryptographic details, preventing developers from making security mistakes.
- Themis provides strong modern industry-proven cryptography.
- Themis is open source and can be used for free.
- Acra database security suite protects sensitive data in databases and distributed applications.
- Acra is one tool that covers 9 data security controls.
- Acra works with SQL and NoSQL databases, on-prem or in any cloud environment.
- Acra gives field-level encryption for sensitive data and supports BYOK/HYOK.
- Acra easily integrates into modern applications, protecting sensitive data on the every step of its lifecycle.
- Acra Community Edition is open source and can be used for free.
- Acra Enterprise Edition is tailored for businesses with multiple apps or databases.
- Hermes is a security framework for enabling multi-user end-to-end encrypted data storage.
- Hermes provides the essential building blocks for building zero-knowledge and zero trust architectures.
- Hermes prevents data leakage or misuse even if the server infrastructure is compromised.
- Hermes core engine is open source.
Cossack Labs team
- Cossack Labs team includes experts with formal backgrounds and PhDs in cryptography, OWASP contributors, CISSP-certified security engineers, security software developers, and security engineers with decades of industry experience.
- Cossack Labs team members gave more than 60 conference talks in 6 years. You can meet us at the international security and development conferences as QCon, DefCon, UA.SC, BlackAlps, NSSpain, FrenchKit, Devops Stage, OSDN, muCon, iOSCon, Highload fwdays, OWASP meetups and OWASP Appsec global events, NoNameCon, and others.
- August 20, 2022 – Launch of Shift Security Left newsletter for security-aware developers. Later, it became a Hackernoon Noonies'22 Best General Technology Newsletter runner-up in emerging tech.
- May, 2022 – Acra 0.93.0 introduces the type awareness feature, enabling fully transparent encryption, decrypting and decoding binary data back to the original type.
- November, 2021 – Acra 0.90.0 is released, making fundamental security controls previously available in proprietary versions accessible to a wider audience.
- October 20, 2020 – Acra won Best Open Source Project in the Hackernoon Noonies contest.
- July 9, 2020 – With version 0.13.0 released, Themis officially supports 14 languages and platforms.
- September 5, 2019 – Cossack Labs implemented end-to-end encryption into popular Apple Design Award app Bear.
- April 16, 2019 – Acra encryption suite became available on DigitalOcean Marketplace.
- March 15, 2019 – More flexible configuration for AcraCensor and server-side encryption mode for AcraServer are introduced.
- November 9, 2018 – With version 0.84.0 New Horizons, Acra grew from a database encryption proxy to a full-fledged data encryption suite.
- December 13, 2017 – A proof of concept version of Hermes introduced.
- March 8, 2017 – First Acra open-source release (0.75) revealed.
- June 3, 2015 – Themis is released into the public.
- May 18, 2015 – Launch of Themis high-level cryptographic services library.
- June 19, 2014 – Launch of Cossack Labs private limited company in United Kingdom.
Read related customer stories
and engineering stories
Transparent data encryption for SQL databases with Acra 0.93
Fully transparent encryption of sensitive fields is possible with open source Acra 0.93 release. Acra works on SQL protocol level, hiding details from developers and reducing encryption integration cost. Learn how it works under the hood.
Quick migration to field level encryption of governmental data
Integrating encryption and data masking for sensitive data stored in MySQL cluster. A combination of transparent SQL encryption via AcraServer and encryption API via AcraTranslator makes Acra fit for complex solutions.
Building a secure data vault for PII protection
Building a cryptographically secure vault for storing and processing PII that prevents developers from getting access to the plaintext data fields, shares anonymised data with BI teams, and provides sufficient performance for OLAP queries.
Acra 0.90.0: application level encryption and searchable encryption for any SQL and NoSQL databases
Acra Community Edition 0.90.0 – database security suite for SQL and NoSQL databases, which comes with application level encryption, searchable encryption, and encryption-as-a-service API available for any developer.
Securing an ecosystem of edge ML devices
Designing and implementing security of specialised IIoT devices that run ML. Data protection, ML models protection, secure communication, fleet management, and anti-reverse engineering.