DESIGN SECURITY
Your designs stay yours
Owner-key file encryption, read-only collaborator, time-locked access, invisible watermark, employee-departure recovery — all built-in.
Zero-knowledge architecture: even if BilTAY disappears,
you can still open your files with your recovery key.
ARCHITECTURE
How does .imgex encryption work?
1. Owner-key encryption
Each file encrypted with AES-256-GCM. The key is derived from your password + your physical recovery card seed. Not stored on our servers.
2. Recovery card
24-word mnemonic mailed on a physical certificate. Keeps your designs accessible even if BilTAY ceases to exist. Zero-knowledge: we cannot recover it for you.
3. Collaborator envelope
Files shared with collaborators are double-wrapped: their session key + their read/edit permission. Permissions enforced offline (no server check needed).
SUBSCRIPTION STATE MATRIX
What if your subscription ends?
Encryption is tied to your identity, not the subscription. Files always open. Subscription state only affects what you can newly do.
| State | Existing .imgex files | New encryption | Add collaborator | Watermark / audit |
|---|---|---|---|---|
| Active Pro Subscription is current | ✓ | ✓ | ✓ | ✓ |
| Subscription expired — 30-day grace Not renewed yet, but in grace period | ✓ + warning | ✓ + warning | ✓ | ✓ |
| Subscription expired — after grace Read-only mode active | 👁️ Read-only · STEP/IGES export | ✗ | ✗ | ✗ |
| Account deleted / BilTAY shut down Recovery key + local viewer | 🔑 Recovery key + local viewer | ✗ | ✗ | ✗ |
Standard SaaS practice would lock you out of your data after subscription ends. imge doesn't — your files remain yours.
PRO vs ENTERPRISE
Tier breakdown
PRO — INDIVIDUAL ENGINEER
9 security features
- ✓ Owner-key cryptographic locking (AES-256-GCM)
- ✓ Read-only collaborator (cannot save, cannot copy)
- ✓ Editable collaborator (can edit, cannot re-share)
- ✓ Time-locked access (e.g. expires 2026-06-15)
- ✓ Invisible watermark (user + date + machine ID)
- ✓ Audit log (who, when, on which device?)
- ✓ Screen capture prevention (Windows DRM API)
- ✓ Clipboard copy block (in collaborator mode)
- ✓ Recovery key physical certificate (mailed)
ENTERPRISE — ORG-WIDE
All Pro + 7 enterprise features
- ★ Central key management (HSM integration)
- ★ Corporate SSO (Keycloak) with access policies
- ★ Geographic restriction (IP / country / city based)
- ★ Department-based sharing groups
- ★ LDAP / Active Directory sync
- ★ AS9100 / IATF 16949 audit-ready record flow
- ★ 🛡️ Engineer-departure key recovery (3-layer envelope + HSM + 2-of-3 quorum)
CRITICAL FOR DEFENSE SUPPLIERS
Engineer leaves, files stay. Company master key in HSM; two admin signatures reassign files to a new engineer. Even BilTAY cannot access this key.
FAQ
Frequently Asked Questions
What happens to my encrypted files if my subscription ends? +
They always open. Encryption is tied to YOUR identity, not your subscription. After 30-day grace period it falls into read-only mode — you can still open, view, and export to STEP/IGES/STL. You cannot encrypt new files or add collaborators.
What if BilTAY shuts down / disappears? +
Your recovery key (24-word mnemonic) + the local viewer on your computer let you open files. Keep the recovery key (mailed with your certificate) in a safe place. BilTAY operates a zero-knowledge architecture — we hold no key on our servers that can decrypt your files.
How is read-only collaborator different from a typical "read-only" file? +
A traditional read-only file can still be screenshotted, decompiled, copy-pasted into another CAD via clipboard. Read-only collaborator in imge: clipboard blocked, screen capture blocked (Windows DRM), no save-as, no export. Plus invisible watermark — if a leaked screenshot surfaces, we can identify the source.
Time-locked access — how does it work? +
You set an expiration (e.g. 2026-06-15). Collaborator opens the file before that date. After expiration, the file refuses to open on the collaborator's machine. Useful for: subcontractor design reviews, NDA periods, project milestones. Lock can be extended remotely without re-sharing the file.
Engineer-departure recovery — how does it work technically? +
Files are encrypted with the engineer's personal key. When they leave, you (admin) cannot directly decrypt their files. But files are also wrapped in a "company recovery envelope" — accessible by 2-of-3 admin quorum + HSM signature. So you can reassign the work to a new engineer, but only with multi-admin consensus, leaving an audit log. Departing engineer's personal key is invalidated.
Does invisible watermark slow down the file? +
No. Watermark is added at view-time, not file-time. File size unchanged, performance unchanged. The watermark is rendered into the GPU framebuffer with the user's ID + timestamp + machine fingerprint — visible only via spectroscopic analysis or by us when investigating a leak.
On-premise / air-gapped — is everything available offline? +
Yes. Enterprise customers can run imge fully air-gapped: license server on their network, key management on their HSM, no outbound connection ever. Updates delivered via signed offline packages.
KVKK / GDPR compliance for design data? +
Design files are not "personal data" under KVKK/GDPR — but the audit log (user names, IPs, timestamps) IS personal data. We process it for legitimate business interest (security/audit), retain for 2 years, allow access requests. Data residency: Turkey servers. Details: /kvkk
Ready to protect your designs?
Free edition runs all engineering tools. Pro adds the encryption layer. Enterprise locks down for organization-wide deployment.