SpiderOak Enterprise is designed as a No Knowledge system, meaning we at SpiderOak know nothing about the encrypted data your users store on our servers. This means your users' files are encrypted before they leave their computers, and those files remain encrypted while in storage. They are never decrypted until they are unlocked with the encryption keys held on your users' computers or in your Management Console. In that way, your users have access to their files, and you as the system's administrator have access to all your users' files, yet we at SpiderOak do not, nor does anyone eavesdropping on the traffic to your Management Console or to your users' computers.
For example, when you attempt to log in to the Management Console, you provide your username and password to a computer powering the Console, which is running at your organization under your control. Authentication is performed there, not on our computers. Upon successful authentication, a connection is then established with our servers.
If you then request a user's file via the Management Console, the Console determines which encrypted data blocks correspond to the wanted file and request those blocks from our storage. Our servers only know that particular blocks are wanted but do not know the file associated with them or their contents. The Management Console receives the encrypted blocks and decrypts them on your end.
A similar process is used when your users log in, upload, and download files. Their SpiderOak Groups application has only their own encryption keys, not those of anyone else, so an end user is only able to access his or her own files and not those of any other end user.