FAQs

Can't find what you need?
Please get in touch...

E-mail: support@clear-crypt.com

Also see our guides to the use of ClearCrypt on our support page.

Opening hours:
Monday — Friday 09:00 – 17:00 (London, UK)

Frequently Asked Questions

What does ClearCrypt do?

ClearCrypt converts data into anonymised digiprints, to securely report on how two sets of data overlap.

In version 1 of the system, this comparison is made on email addresses. Future versions will allow comparison on different elements of data. 

Will ClearCrypt process your personal data?

ClearCrypt only stores and transfers data which is anonymised and so is not classified as personal data by the ICO. The data which ClearCrypt handles as a part of the creation of comparisons is not within the scope of GDPR.

This means that ClearCrypt is not processing the personal data in the files being used for the comparisons. 

How is the data anonymised?

When a user selects a file to process, ClearCrypt then locally (on the user’s PC) converts the data within the file into hashed and salted values, called Digiprints. The file and personal data being processed does not leave the user’s computer.

If the user elects to see the overlapping data, then the original file is copied (again using local code and so the file and personal data do not leave the user’s computer) to the download folder, with the matches between their and the other parties Digiprints is identified in the copied file. Original files are never uploaded to our servers. Only the Digiprints are stored on our servers. 

Has the ICO approved ClearCrypt?

The GDPR states that certification schemes should be developed, and the Information Commissioner’s Office (ICO) has started this. There are currently (March 2022) 3 certification schemes available, none of which relate to the scope of ClearCrypt.

ClearCrypt creates Digiprints (hashed and salted values of the data being checked), and as neither party has access to the salt or to the Digiprints themselves, and given the technical and organizational measures we use to secure the Digiprints, we have concluded that ClearCrypt passes the ‘motivated intruder’ tests that the ICO recommends should be used to review levels of anonymity.

Using the test, the risk of identifying which individuals the Digiprints relate to is extremely unlikely. Given this, according to ICO guidance, the data is effectively anonymised and so data protection law does not apply.  As any element of ClearCrypt changes then these conclusions will be kept under review.

We create hashes from our data and swap them with clients now. How is that different to what ClearCrypt does?

The ICO has defined a spectrum between cleartext personal data and truly anonymous data.

  1. Directly identifiable – e.g. email addresses, named and addresses.
  2. Indirectly identifiable g. job title at a certain company, IP addresses.
  3. Probably identifiable because the risk of identification is likely.
  4. Probably not identifiable because the risk of identification is unlikely.
  5. Impossible to identify.

The key is in the distinction between points 3 and 4 above. Our interpretation of the ICO’s guidelines is where data is swapped using files of hashes, and means to re-create the hashes is shared with the other party (which it will need to be so that they can apply the same algorithms to their data), then a motivated intruder could replicate the algorithms and mean data where the hashes and the salts are shared comes under point 3. This means that means the data is pseudonymized and so classed as personal data and data protection rules still apply.

With ClearCrypt, because neither party gets to see the hashes, and the salts are not shared with either party, then the data effectively anonymised and so comes under point 4 in the list above.

If another party can identify data that I control, surely I must be transferring my personal data with them?

Through the use of ClearCrypt, no personal data is being transferred.

Using email address as an example, the email addresses in files users select is used to create the anonymised data on the user’s computer, and this anonymised data is transferred to the other party involved in the comparison. For the other party to be able to identify records in common, the other party must already have that data under their control. Anonymous data is not personal data according to the ICO.

If I use ClearCrypt, am I profiling my data?

Article 4(4) of the UK GDPR defines profiling as:

… any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Because of the way ClearCrypt works, it does not use personal data, and neither analyses nor predicts the specific elements outlined in the definition of profiling in the UK GDPR. What ClearCrypt does do is provide the context for further decisions which may mean that data is being profiled.

In this scenario, the use of ClearCrypt is not profiling, but it can set the foundation for the commercial licensing of data from Party A, and at that point, when information is added to existing contacts within Party B’s dataset, then the processing of data could be described as profiling.

If I process my data using ClearCrypt, don’t I need you to sign data processing agreements?

ClearCrypt is not processing personal data. This means that there is no need for ClearCrypt to sign data processing agreements.

There are usually no requirement for InfoSec agreements to be signed, but that is a decision made internally by organisations. We are happy to sign non-disclosure agreements if required.

If I use ClearCrypt, do I not need to be aware of any other data protection issues?

No, but you do need to be aware that the conversion of data to anonymous data counts as a type of data processing. The anonymization of the data is done under the user’s control when using ClearCrypt. Because of this, the anonymization processing should be highlighted in user company’s privacy policies. This should already be the case with most comprehensive policies. 

How do I know that you’re only uploading anonymised data?

Your IT department will be able to tell what files are being uploaded by what systems. The only data being transferred to ClearCrypt servers by ClearCrypt in the course of processing a comparison are the Anonymised Digiprints.

Does ClearCrypt help with other elements of my data protection?

It is very useful for sales & marketing departments of organisations to compare their data with different parties for purpose limitation, data minimization, improving accuracy and limiting storage (some of the key principles of the GDPR). ClearCrypt enables this to be done within a lawful framework, and with integrity and confidentiality.

How much data can I compare in 1 comparison?

Premium customers are limited to 750,000 records; Enterprise customers are not restricted in how many records they can process in a single comparison (but see comment on ‘fair use’ below).

What are the use limits?

Customers can process up to 5 million records in a day according to our ‘fair use’ policy. Note that this is an aggregated amount for users within the same company.

Who can I compare data with?

With both Premium and Enterprise licences, you can compare data with as many individuals at different organisations as you want.

How long does a comparison take to run?

The time taken does depend on the number of records used, but you shouldn’t have to wait very long. Comparing a few thousand records takes no longer than 15 seconds.

How long do I need to sign up for?

The Premium licences have a minimum term of 3 months. Enterprise licences are for the minimum term of 1 year.

Can I send data to other parties using the free subscription level?

Yes, if the other party is a Premium or Enterprise user. Note, if you are a free user, the Premium or Enterprise user has to be the party that starts a comparison.

Do I need permission from my DPO to use ClearCrypt?

As Data protection regulations do not apply to the data we store, depending on your internal policies, no. But we recommend that you check with your information and security team.