By Jordan Stone
At Notion, data security and privacy is an incredibly important topic. And rightfully so! Connected devices from televisions to refrigerators have already been hacked, and we want to make sure that all of your data is as safe as possible. We wanted to take some time to explain our approach to data security and privacy, including how your data is transported across our ecosystem, as well as how it’s stored.
It’s easiest to think of the Notion ecosystem as a series of “nodes.” A “node” is defined as any point in our system where data is transferred to or transferred from. At the highest level, the Notion ecosystem consists of three nodes: the sensor, the hub, and the backend. Data is collected by sensors and sent to a hub, which then forwards that data on to our backend for processing, analysis, and storage. And since a picture is worth a thousand words, here you go:
Cryptography isn’t necessarily hard to do, but it’s pretty hard to do right. At Notion, we use the latest and most widely accepted cryptographic standards and best practices in order to ensure the integrity of the data we collect and store. We use a combination of symmetric and asymmetric cryptography to ensure the security of our data. All sensor data is encrypted with 256-bit AES encryption. A unique AES key is randomly generated during the manufacturing process for each sensor and for each hub. Additionally, each hub will be granted an authentication token, for an added layer of security. A typical interaction from end-to-end looks something like this:
A sensor collects data, either from an external stimulus waking it up (i.e. an accelerometer event) or from its periodic health checks. That data then gets AES 256-bit encrypted and sent to a nearby hub, including the ID of that sensor. The hub will append its own authentication token, and then sends all of that data to the backend. The backend will first ensure that the data it receives is from a valid hub by confirming the authentication token. If that initial check passes, it will use the sensor hardware ID to fetch the proper key needed to decrypt the data. Once it has decrypted the data, it will process and save that data as necessary. Additionally, all of this happens over secure connections leveraging Transport Layer Security (TLS).
Notice that a hub cannot decrypt the data from a sensor. Instead, the hub acts as a proxy for sensor data to the backend. There are also some instances where a hub may need to send or receive data from the backend outside of proxying sensor data. For instance, if a sensor has not reported data for an unusually long time, or if the hub needs to receive firmware updates. In such instances, the above process is by-and-large the same, instead using the shared private key of the hub to encrypt and decrypt data.
By using shared keys in this way, a private key never needs to be transferred over the wire in plaintext. In addition to that, by not having global shared keys for any nodes in the system, a compromised node can be easily removed from the system if need be.
The last component to our security and encryption approach is for our mobile apps. All of the apps, including those released by us as well as those released by third party developers leveraging our API, send and receive information over HTTPS, a secure implementation of HTTP. This ensures that all data sent “over the wire” is encrypted and cannot be listened in on.
As we continue to build Notion, gather feedback, and improve on the product, we’ll continue to write these kinds of posts to keep those of you interested in some of the lower-level details about Notion up to date.
