Security Architecture

Built so infrastructure compromise does not automatically equal readable-file compromise.

QrystalDrop coordinates workspace policy, identity, audit, and recovery operations without defaulting to server-visible content handling. Security claims are limited to controls that are already present in the product.

What this page commits to

The service stores encrypted objects instead of plaintext customer files.

Strict and recovery-enabled trust modes are separated in both behavior and UI.

Room uploads are not activated from client assertions alone.

Admins can inspect, govern, and export the control surfaces that matter in diligence.

Client-side encryption

Assets are encrypted in the browser before upload. The storage layer receives ciphertext and metadata references rather than readable source files.

Participant-bound wrapping

Each room asset gets a fresh content key. That key is wrapped once per registered participant device using ML-KEM-derived shared secrets and HKDF-derived wrap keys.

Verified activation

Assets are activated only after the backend verifies object existence, size, content type, and checksum against the signed upload policy.

Workspace governance

Identity, recovery posture, member roles, guest rules, room policy, download limits, domains, network boundaries, and billing all sit at the workspace layer.

Two trust modes

Strict zero-knowledge rooms

No recovery key path, no server-side plaintext workflow, and risky inline preview paths remain disabled. The platform treats content as opaque encrypted payloads.

Recovery-enabled rooms

The workspace can authorize a recovery profile and use governed review queues, recovery processing, durable recovery reports, and recovery-package access for security admins.

Shipped control surface

Passkeys, MFA, OIDC federation, managed-domain login policy, and Enterprise directory provisioning

Workspace IP allowlists, region preference, and signed SIEM webhook delivery

Device inventory, session rotation and revocation, domain verification, and audit proof batching

Recovery queue review, governed processing, recovery report artifacts, and controlled recovery-package access

Identity

Session cookies, passkeys, MFA, managed domains, OIDC, and provisioning keep room access inside a governed identity posture.

Network and recovery

IP allowlists, region preference, review queues, governed processing, and recovery-package workflows support business and enterprise operations.

Audit and evidence

Audit proof batches, export, and SIEM delivery give teams a defensible record of what happened across workspace and room operations.