End-to-End Encryption

StaffCounter E2E Encrypted Logo

Today, StaffCounter is the only solution in the world that offers End-to-End Encryption (E2EE). All data captured from employees’ computers is encrypted and decrypted exclusively by the account owner. With this update, we aim to pioneer innovation across the entire computer surveillance industry.

Employee productivity data collected from endpoint devices is encrypted before being transferred to the cloud. Unlike SSL encryption, the data remains encrypted even after it reaches StaffCounter’s cloud storage. Furthermore, it stays encrypted throughout all running database instances, execution contexts, and processing algorithms on our servers. When you log into your account, the data is delivered to your browser in its encrypted form and decrypted on-the-fly using JavaScript and the browser’s native encryption features. This ensures GDPR compliance by design. Below, we explain how to update or install the latest StaffCounter agent and configure the E2EE feature.

We are pleased to announce that the “End-to-End Encryption” feature is now available as an experimental option for new user accounts. E2EE in StaffCounter is similar to Homomorphic Encryption, as it allows computations on encrypted data without decryption. In our case, computations include sorting and aggregation. Like other time-tracking solutions, StaffCounter records the frequency and duration of application, document, and website usage, calculates time spent, and sorts results for reporting. Now, with E2EE architecture, employee names and productivity data remain encrypted even from the StaffCounter server itself.

To try E2EE, download StaffCounter Agent v. 9.2 for Windows with End-to-End Encryption support and follow the steps below.

According to our architecture, a secure encryption link is established between the employee’s computer and the manager’s browser, where reports are viewed. While there is no direct connection between the device and the browser, these two endpoints form the entire encryption chain. Competing solutions like Timedoctor, ActivTrak, Desktime, Workpuls, and ActivityWatch also encrypt data in transit or at rest, but their processes include multiple stages where data may be in plain form. In StaffCounter, data is unencrypted only at two points: in the computer’s memory and in the manager’s browser memory. Since both points are controlled by the account owner, this structure ensures compliance with the Zero Access Principle and reinforces GDPR compliance.

With E2EE, all employee data is encrypted instantly and decrypted only in the manager’s browser. Once enabled, the data is encrypted on the employee’s workstation before being sent to the backend, and decrypted only when accessed in the browser. The StaffCounter Agent generates and exchanges encryption keys with the manager’s account. The backend does not manage encryption keys or perform encryption/decryption — all operations occur solely at the endpoints.

The E2EE model also supports computations on encrypted data, such as sorting and aggregation. This allows StaffCounter to record activity, calculate durations, and sort usage data while maintaining encryption. As a result, the server cannot read employee names or related content — only the browser can.

Example of Time Report with encrypted data:
Example of encrypted Time Report

To test the E2EE feature, download StaffCounter Agent v. 9.2 for Windows and follow the configuration steps below.

Browse Encrypted Dashboard and Reports

You will notice few changes in your dashboard and reports, despite all information being encrypted. This is made possible by real-time decryption in your browser using the Web Crypto API, available in modern browsers like Chrome, Firefox, Opera, and Safari. Our JavaScript code decrypts all encrypted strings on the page as it’s displayed.

How does E2EE affect time tracking, productivity categorization, and alerts?

Time tracking and reporting work as before, but productivity rules may need to be reassigned.

Encrypted data maintains the same structure as clear-text. For example, prior to encryption, StaffCounter may use “winword.exe” or “gmail.com” to assign productivity categories. After encryption, tokenized strings like “w6Wd4SSxgK9EqmHuR4EAWw==” are used for the same purpose. This works because a single encryption key is used for each account, ensuring consistent tokenization across all associated data — enabling accurate processing with full anonymization.

Staff apps example

If Several Employees Share a Computer (Terminal Server)

When the StaffCounter working folder is shared between users, logs and screenshots are visible unless encryption is enabled. Once enabled, these files become unreadable, preventing insider access.

Local folder example

Technical Notes

E2EE functionality is open source and implemented in the jsec.js file, available at data.staffcounte.net. Encryption uses the Web Crypto API, and all operations are executed within the browser memory. StaffCounter assists with key storage and encrypted data transfer.

Summary of StaffCounter End-to-End Encryption:

  • Each user account and StaffCounter Agent generates an RSA key pair (2048-bit).
  • The account owner creates a random 256-bit AES MasterKey.
  • The MasterKey is protected by the account password using PBKDF/AES-256, stored as an encrypted blob.
  • The MasterKey is RSA-encrypted and sent to devices via the StaffCounter service.
  • The StaffCounter Agent encrypts sensitive data with AES-256: application names, window titles, URLs, keystrokes, clipboard, chat, documents, screenshots, webcam captures, audio.
  • Metadata like action type, timestamp, and duration remain in clear form.
  • PBKDF is used to derive intermediate keys and secure the password.
  • Passwords are never sent to StaffCounter in plain form.
  • Once enabled, encryption cannot be disabled in the account or agent.

StaffCounter does not perform any encryption itself — it stores only public keys and encrypted blobs. Future improvements will enable key storage strictly within the browser. We’re also developing the SafeJKA browser plugin for stronger authentication and key handling.

Difference from SSL Encryption

Unlike most solutions, StaffCounter applies encryption beyond standard SSL/TLS. Decryption occurs only in the browser after user authentication.

Other systems may encrypt data during transfer and decrypt it on the server. StaffCounter never decrypts the data server-side — it’s stored and processed in encrypted form. Only the account owner, with their password, can access plain-text data. This is a key differentiator.