Syncdocs Security and Privacy

This page discusses the security of your data, credentials and program security.

Data Security

Are my files kept on Syncdocs servers?

No. None of your files are transferred, routed or stored in Syncdocs servers. You files are uploaded and downloaded directly to and from Google over an encrypted link.

How is my data kept safe?

The encryption is the same as in your web browser connection to Google Drive. Your data is encrypted while in transit on the Internet, the same as if you were using a web-browser.

Syncdocs will only send data to and from Google using SSL (TLS). This is a way of encrypting data on the Internet, used by banks, eBay etc.

Typically, it is all encrypted using RC4 128 bit. The key exchange and is done using an RSA 1024 or 2048 bit key, with SHA1 as message authentication. There is no non-https traffic from Syncdocs to Google Docs.

Local database storage is AES256 encrypted.

You can choose to encrypt files and folders on Google Docs and Google Drive. This encrypts your files at-rest on Google Drive and provides a secure end-to-end encryption solution. Encrypting files on a cloud storage platform is recommended, in case your account is ever hacked.

If you choose to encrypt files online, you have the option of encrypting these files locally as well. This is done using Windows folder encryption.

You can also choose to securely wipe files on Google Drive, if you delete them locally. This means that deleted files are wiped and not stored in the Trash or Recycle Bin.

If you choose to backup your Google contact list, this file is stored in your Syncdocs folder, but it is not encrypted locally.

How does Google secure my files?

Here’s more information on Google’s data security and redundant servers.

Password Security

Account permission (OAuth)

By default, Syncdocs does not need or store your Google account password. Instead you give permission to Syncdocs to access your Google Drive. This process is called OAuth.

Google gives Syncdocs a token that is stored securely using Window’s secure credential manager vault on your own PC. Syncdocs uses this to login. You can revoke Syncdocs’ permissions at any time, too.

The Password option

If you choose not to use OAuth, and do enter an app-specific password into the Syncdocs app note they stay on your PC. Passwords are securely stored only on your local PC, or local network Microsoft Windows Domain Controller Server. Doc Freedom Syncdocs does not collect them. They are used only when connecting to Google cloud services. Syncdocs does not store your passwords on our servers, or anywhere on the Internet. When communicating your passwords to Google’s servers, TLS (SSL) encryption and authentication is used.

App-specific passwords can be revoked at any time by you via your Google account.

How are my credentials kept safe?

We don’t have access to your OAuth token or app-specific password. It is stored securely using Window’s secure credential manager vault on your own PC. Unless you are on some Windows domains, your password will never leave your PC.

If you are on a Windows domain, your domain administrator might also store all your desktop settings on the network domain controller, so you can move workstations. Your password is included in the workstation settings.

In other words, your password stays on PC or local network, Syncdocs servers never see it. Syncdocs never sends your password to anyone except Google’s servers, and then only using the encryption detailed below:

How are my credentials communicated?

Your credentials are encrypted on the Internet, the same as if you were using a web-browser.

Syncdocs will only log into Google using SSL (TLS). This is a way of encrypting data on the Internet, used by banks, eBay etc.

Do you support 2-Step Verification?

Yes, Syncdocs supports two-step authentication, for all accounts.

See this post for detailed setup instructions, or see the next point for brief instructions.

How do I get 2-Step Verification working with Syncdocs?

You need an “application specific” password.

Here’s how to get it working:

1. You will need an “application-specific” password from Google.
Go here for to get one:
http://www.google.com/support/accounts/bin/static.py?page=guide.cs&guide=1056283&topic=1056286

2. In Syncdocs Preferences, in the Account tab, in the password field, enter the password code Google gave you in step 1.

Do you support Single Sign On (SSO)?

Yes, Syncdocs also now supports the Google OAuth 2 protocol. This means that you can authenticate/de-authenticate Syncdocs using the standard Google permissions console.

Syncdocs will also now support single-sign-on (SSO) solutions like OneLogin and SSOEasy.

How do I revoke Syncdocs Access

Click on “Revoke” in the Google Account Console next to Syncdocs. See this post for detailed setup and revoke instructions.

How to I wipe Syncdocs info from the Windows password vault?

You can use the -wipevault command line switch to tell Syncdocs to clear all the credentials when it exits.

Program security

How are updates kept safe?

wyUpdate is the utility we use to keep Syncdocs up-to-date. It is a small program that checks the version of Syncdocs, and applies updates if needed. It only updates signed versions of updates, and communicates via TLS.

More information

The Syncdocs Privacy Policy policy gives more details, as do the terms.