Time-Check

Security Architecture

Overview

Time-Check implements enterprise-grade security with a zero-knowledge architecture that ensures complete privacy and anonymity while enabling cross-organizational availability sharing.

Core Security Principles

1. Zero-Knowledge Architecture

• Server Blindness: Server cannot decrypt or access calendar data
• End-to-End Encryption: All sensitive data encrypted on client devices
• No Persistent Identity: Anonymous device IDs with automatic rotation
• Minimal Data: Only encrypted availability bitmaps are transmitted

2. Anonymous by Design

• Rolling Device IDs: Anonymous identifiers that change automatically
• Request Isolation: Each request uses unique encryption keys
• No Cross-Request Linking: Impossible to correlate requests to users
• No User Profiles: No accounts, logins, or persistent user data

3. Local Processing Only

• Client-Side Calendar Access: All calendar processing on user devices
• No Cloud Calendar Access: Server never accesses calendar APIs
• Local Encryption: Data encrypted before leaving device
• EventKit Integration: Uses Apple’s secure calendar framework

Encryption Implementation

Cryptographic Algorithms

• Algorithm: NaCl Box (Curve25519 + XSalsa20 + Poly1305)
• Key Exchange: Elliptic Curve Diffie-Hellman (ECDH)
• Symmetric Encryption: XSalsa20 stream cipher
• Authentication: Poly1305 message authentication code

Key Management

• Ephemeral Keys: Unique key pairs for each request
• Perfect Forward Secrecy: Keys discarded after use
• Secure Generation: Cryptographically secure random number generation
• iOS Keychain: Secure key storage using hardware security

Encryption Process

1. Generate ephemeral key pair (Client)
2. Exchange public keys (Anonymous)
3. Derive shared secret (ECDH)
4. Encrypt availability data (XSalsa20 + Poly1305)
5. Transmit encrypted data only
6. Decrypt on requestor device
7. Discard all keys

Data Protection

Information Minimization

• Only Availability: No meeting titles, participants, locations
• Bitmap Format: Compressed busy/free time slots only
• 15-Minute Granularity: Optimal balance of privacy and utility
• 30-Day Window: Limited time range for availability requests

Data Lifecycle

1. Collection: Availability extracted locally from calendar
2. Processing: Converted to encrypted bitmap on device
3. Transmission: Only encrypted data sent to server
4. Storage: Temporary encrypted storage (max 30 days)
5. Retrieval: Encrypted data retrieved by requestor
6. Deletion: Automatic expiration and cleanup

No Persistent Storage

• Ephemeral Data: All data expires automatically
• No Backups: No long-term storage or backups
• Memory Cleanup: Secure memory clearing after processing
• No Logs: No logging of personal information

Anonymous Identity System

Email-Based Verification

• Work Email Verification: Secure email-based identity confirmation
• No Calendar Email Extraction: Eliminates unreliable calendar parsing
• Verification Codes: Time-limited verification codes
• DynamoDB TTL: Automatic code expiration

Device Identity

• Anonymous Device IDs: UUID-based anonymous identifiers
• Rolling IDs: Automatic rotation to prevent tracking
• No Device Fingerprinting: No collection of device characteristics
• Local Storage: Device IDs stored locally only

Request Anonymity

• Anonymous Requestors: No identification of request originators
• Proxy System: Requests routed through anonymous proxies
• No IP Logging: No storage of IP addresses or network information
• Timing Obfuscation: Request timing randomization

Network Security

Transport Layer Security

• TLS 1.3: Modern transport layer encryption
• Certificate Pinning: Protection against man-in-the-middle attacks
• Perfect Forward Secrecy: Session key protection
• HSTS: HTTP Strict Transport Security

API Security

• Rate Limiting: Protection against abuse and DoS attacks
• Input Validation: Comprehensive input sanitization
• CORS Protection: Proper cross-origin resource sharing controls
• No API Keys: Anonymous access without authentication tokens

Infrastructure Security

• AWS Security: Enterprise-grade cloud security
• VPC Isolation: Network isolation and segmentation
• IAM Policies: Least privilege access controls
• CloudFormation: Infrastructure as code for consistency

Compliance and Standards

Privacy Regulations

• GDPR Compliant: European privacy regulation compliance
• CCPA Compliant: California privacy law compliance
• No Personal Data: Minimal data collection eliminates most privacy risks
• Data Minimization: Principle of collecting only necessary data

Security Standards

• SOC 2 Ready: Security controls aligned with SOC 2 requirements
• ISO 27001 Principles: Information security management alignment
• OWASP Guidelines: Web application security best practices
• Apple Security: iOS security framework compliance

Industry Standards

• CalDAV Security: Calendar protocol security best practices
• OAuth 2.0: Secure authorization framework support
• JWT Security: JSON Web Token security implementation
• REST API Security: RESTful API security standards

Threat Model

Protected Against

• Data Breaches: No sensitive data stored on server
• Man-in-the-Middle: End-to-end encryption protection
• Traffic Analysis: Anonymous request patterns
• Identity Correlation: Rolling anonymous identifiers
• Calendar Access: No server-side calendar API access

Attack Scenarios

• Malicious Server: Cannot access calendar data due to encryption
• Network Interception: Encrypted traffic provides no useful information
• Device Compromise: Limited impact due to ephemeral keys
• Database Breach: No sensitive data stored in database

Security Assumptions

• Client Device Security: Assumes iOS security model integrity
• Cryptographic Primitives: Assumes NaCl implementation security
• Network Infrastructure: Assumes TLS implementation security
• User Behavior: Assumes reasonable user security practices

Security Monitoring

Threat Detection

• Anomaly Detection: Unusual request pattern monitoring
• Rate Limiting: Abuse prevention and detection
• Error Monitoring: Security-relevant error tracking
• Performance Monitoring: DDoS and abuse detection

Incident Response

• Automated Response: Automatic blocking of suspicious activity
• Manual Investigation: Security team review of anomalies
• Communication Plan: User notification procedures
• Recovery Procedures: System recovery and restoration plans

---

Next Steps: Learn about how it works or download the iOS app.