Data Model / Terminology

Meeco Documentation

Data Model / Terminology


Storage for encrypted user data. User data cannot be decrypted and read by Meeco. In the current implementation the Vault functionality is implemented by the meeco-api.


Storage for secrets and keys. In the current implementation the Keystore functionality is implemented by meeco-keystore.


A Slot in the smallest data entity in the Vault. A Slot is a placeholder for one data value. Each Slot has a name, a label, and a value. Slots are typed. A Slot type defines what can be stored in a Slot and how this data is handled. Example Slot types are:

  • bool
  • date
  • datetime
  • image
  • key_value
  • url
  • phone_number
  • email
  • password

Slot values are stored in an encrypted form and only the user can read them.


A Card is a group of Slots related by a topic. For example, a user profile is a Card. A club membership, a flight reservation - all these can be Cards each having a number of Slot of different tiles in them.

A Card Template

A Card Template is a predefined list of empty Slots. Each Card is created by cloning such a template and filling in the Slots.


A Connection between two users is a channel via which users can share individual Slots on the Cards, or the entire Card itself.


A Share is created when a user grants access to their Card to another user. The Card is re-encrypted with a data encryption key shared with the recipient of the Share.

Passphrase Derived Key And Derivation Artefacts

A Passphrase Derived Key is a PBKDF2 key in the current implementation. To generate or re-generate this key, a passphrase and derivation artefacts are required. Derivation artefacts include:

  • Number of iterations
  • Salt
  • Derived key length

Derivation artefacts are stored in the Keystore. Neither the Passphrase Derived Key itself nor the passphrase are stored in the Keystore

Key Encryption Key (KEK)

The Key Encryption Key which is used to encrypt all other keys (data encryption keys and keypairs) before they are stored in the Keystore. The Key Encryption Key is encrypted with the Password Derived Key.

In the current implementation this is an AES256-GCM key, but the serialization format of encrypted data used in the Meeco platform allows for adding new encryption algorithms without breaking backwards compatibility.

There is one Key Encryption Key per user.

Data Encryption Key (DEK)

Data Encryption Keys are AES256-GCM keys used to encrypted and decrypt user data. Data Encryption Keys are stored in the Keystore encrypted with the Key Encryption Key.

A Data Encryption Key is created for various functions of the API. For instance, a DEK is created when a user Shares a Slot with another user. When that user connects with another user, the first time they share another DEK is created.

It is possible for a user to have multiple Data Encryption Keys


Public key cryptography is used for Connections and shared between users. Private keys are stored in the Keystore encrypted with the Key Encryption Key.

Classification Scheme

The Meeco platform has a very flexible way to tag information. Instead of having a traditional simple flat list of tags the system can be configured to have multiple independent Classifications. Combinations of these Classifications are called Classification Schemes.

Classification Node

A Classification Scheme consists of a tree of Classification Nodes. A Classification Node

  • belongs to a Classification Scheme
  • has a parent Classification Node unless it is the top node
  • has property name
  • has property label
  • has property description
  • has property image


A Classification is a link between a Classification Node and a classified entity. The link to a classified entity is polymorphic, that is, many entities can be classified in the Meeco model.