vauzy
Agencies Teams Freelancers Features Pricing
Login
Sign up now

Security Statement.

Last updated: 15 September 2025

  1. Security by design

    End-to-end encryption & envelope keys. Vauzy uses a layered envelope encryption design. Each secret is encrypted with a unique symmetric key; per-item keys are encrypted under a per-vault key; each vault key is encrypted under a per-tenant key. This enables granular access control, efficient cross-vault sharing, and revocation without re-encrypting payloads. Secret payloads use AEAD ciphers (e.g., AES-256-GCM) with AAD binding. Keys are never stored in plaintext and decryption occurs only in memory during authorised operations.

    Key management & rotation. Keys are generated from high-entropy sources and rotated per policy. Access to key material is least-privilege and fully audited. Enterprise options (e.g., customer-managed keys) are supported without exposing plaintext to Vauzy.

  2. Authentication and access

    1. Passkeys-only login (WebAuthn): phishing-resistant, passwordless authentication.
    2. Session protection: TLS everywhere, secure cookies, device/session management.
    3. Role-based controls: fine-grained permissions and sharing scopes.

  3. Audit logging

    Material actions are audit-logged with user, timestamp, and IP address. Logs are tamper-resistant, access-controlled, and monitored.

  4. Infrastructure and operations

    1. Hosting: AWS (UK/EU by default), VPC isolation, hardened images, least-privilege IAM, encrypted storage/backups.
    2. Monitoring & response: centralised logging, alerting, incident response runbooks, regular tabletop exercises.
    3. Testing: secure SDLC, code review, regular vulnerability scanning and third-party penetration tests.
    4. People & process: background checks where lawful, confidentiality agreements, mandatory security training, MFA on admin systems.

  5. Compliance trajectory

    1. Cyber Essentials (target).
    2. Working towards ISO/IEC 27001 and SOC 2 attestations.
    3. HIPAA-aligned safeguards for applicable use cases (BAAs case-by-case).

  6. Business continuity

    Encrypted backups, redundancy, disaster recovery plans (RTO/RPO appropriate for SaaS), regular recovery tests.

  7. Vulnerability disclosure

    Report issues to security@vauzy.com. We practice responsible disclosure and prioritise fixes.

Back to top