Sealway is designed to create verifiable evidence while limiting the exposure of sensitive data.
Files, emails, and metadata associated with evidence packages are protected through encryption. Master keys are separated by organization and kept outside Sealway’s application infrastructure, with our French cloud provider Scaleway.
When a file or email is received by Sealway, the service first calculates its cryptographic fingerprint, then encrypts the data before storage. This process supports both content integrity verification and confidentiality protection.
Sealway uses SHA-512 to generate a unique fingerprint of the certified content. If the file changes, even slightly, the fingerprint changes as well. This fingerprint makes it possible to verify that a file matches the originally timestamped content, without modifying the original file.
Files entrusted to Sealway are encrypted before storage: documents, photos, videos, audio files, attachments, and other content used to create evidence. Sealway uses AES-256-GCM to protect stored files and detect tampering of encrypted content.
Sealway also encrypts sensitive metadata stored in the database. Depending on the evidence type, this can include email recipients, the subject, file names, certain attachment-related information, and descriptive data required for the evidence package. An unauthorized database export would therefore not make this sensitive information directly readable.
Each evidence package is protected with a dedicated encryption key. This isolation limits the impact of an incident: access to one evidence package does not automatically provide access to others. This approach compartmentalizes data at the evidence-package level.
Master keys are separated by organization. An organization’s data therefore does not rely on one global key shared across all Sealway customers. This separation strengthens customer isolation and reduces the risk of cross-organization compromise.
The master keys used to protect organization data are not stored in Sealway’s database or application storage. They are kept in a key management service operated by Scaleway, a French cloud provider. Sealway does not store private keys in plaintext and cannot export them from this service.
If the database were exported, protected sensitive fields would not be directly readable without the required keys. If file storage were exposed, encrypted files could not be directly viewed. The goal is to strongly reduce the impact of an incident by avoiding plaintext storage of sensitive content and metadata.
Some technical data remains necessary for the service to function: internal identifiers, processing statuses, technical dates, object sizes, evidence types, or billing information. Sealway aims to encrypt sensitive content and metadata while keeping only the technical information required to operate the service.
Sealway evidence relies on qualified eIDAS timestamping to associate a reliable date with the certified content. This timestamp links the content fingerprint to a verifiable date and time, with evidentiary value recognized in the European Union.
You can export the evidence package and have it verified by a third party, without relying solely on Sealway’s availability. The evidence package contains the elements required to verify content integrity and the associated timestamp.
With the free offer, the original file used to create the evidence is temporarily retained for 7 days, then deleted. The evidence certificate remains available according to the service terms. Users are encouraged to download their evidence package to keep an independent copy.
No architecture should be presented as unbreakable. Sealway uses a combination of encryption, key separation, access control, European hosting, and independent verification to reduce risks and protect sensitive data.
