Real security, explained simply.

Vauzy keeps your secrets safe. We use strong locks, short keys that change often, and checks that make sure only you can open your stuff.

Start 14 day trial Request a demo

How should we explain this?

Whether you prefer a plain-English overview or a deep dive into encryption details, you can view our security model in the way that suits you best.

Industry standard AES-256-GCM encryption

We encrypt sensitive data with AES-256-GCM — a modern authenticated mode trusted by banking, healthcare, and cloud platforms. It delivers strong confidentiality plus integrity checks to detect tampering.

256-bit keys with GCM high performance and built-in authentication tags
Strict IV uniqueness and unique counter binding per operation
Auth tag verification on every decrypt; hard-fail on mismatches

Implementation safeguards

CSPRNG-backed IV / unique counter generation; enforced uniqueness per key
AAD on every operation to bind context to the auth tag
Safe key rotation and deterministic re-encryption pathways

Industries that trust and rely

AES-256-GCM

encryption:

BankingGovernmentHealthcareInsuranceLawMilitary

We lock your data with proven tech

Your secrets are scrambled using the same kind of protection trusted by banks and hospitals. If someone steals a copy, all they get is unreadable gibberish.

Each lock is unique and checked before anything opens.
We never reuse keys in a risky way.
If anything looks wrong, it won’t open at all.

Built-in safety steps

Fresh, high-quality randomness every time we lock or unlock.
Extra labels attached to each lock so we can spot tampering.
Safe ways to change keys without breaking your data.

Trusted everywhere:

BankingGovernmentHealthcareInsuranceLawMilitary

Safe when stored. Safe when sent.

Your data is protected in two ways: when it sits in our databases, and when it travels across the internet. We use short-lived keys that change often and checks that prove everything is legit.

At rest: four independent encryption layers

Each layer uses its own AES-256-GCM key, a unique IV , a one-time unique counter , and AAD to bind context. A compromise in one layer cannot unlock another.

1) Tenant layer
Each organisation within vauzy has a unique 64 byte encryption key which is sealed by AWS KMS . It encrypts each vault’s unique 256 bit key using AES-256-GCM with unique IV / counter and contextual AAD .
2) Vault layer
Every vault has its own AES-256-GCM key. AAD includes vault and organisation identifiers to detect tampering. This ensures that data from one vault can never decrypt another — even within the same account.
3) Vault - Credential relationship layer
Each unique credential and vault relationship gets a dedicated encryption key, which is encrypted by the parent vault key. Rotate or revoke one item without touching others.
4) Credential Secret layer
Your actual secret (password, TOTP seed, API key e.t.c) is encrypted with AES-256-GCM using the resulting unique decrypted credential key. Again this has a a unique IV / counter and AAD (scope + policy). The authentication tag and AAD must verify before anything decrypts.

Four layers. One unbreakable chain.

Your sensitive information has to pass through all 4 levels of encryption going in and out of our data layer.

Every layer uses its own encryption key, unique IV , and one time counter — no key or counter is ever reused.
AAD validation binds context (organisation, vault, credential, secret) to each encryption operation for integrity you can prove.
Each vault, credential, and secret is isolated — compromise of one cannot unlock another.
Organisation root keys are sealed in AWS KMS and only ever used to wrap lower-level keys.
Each layer passes through strict access control and integrity checks.

At rest: four layers of protection

Think of your data like a series of locked boxes inside each other. Each layer of protection has its own unique key and security checks, so even if one box was opened, the others would stay sealed.

1) Organisation layer
Every organisation in Vauzy has its own master key, stored safely inside Amazon’s Key Management Service ( KMS ). This top-level key only unlocks the vault keys below it and never leaves its secure hardware.
2) Vault layer
Each vault has its own key too. This means information from one vault can’t be read or decrypted by another, even inside the same account.
3) Vault–Credential relationship
Every connection between a vault and a specific login or secret gets its own unique key. So if a password changes, only those relationships are updated, everything else stays untouched and secure.
4) Secret layer
Finally, your actual secret, the password, 2FA code, or API key is locked again with another key that’s brand new every single time it’s used. Before anything can be decrypted, every layer must pass its integrity checks, proving it hasn’t been changed or tampered with.

Four layers. One unbreakable chain.

Your data doesn’t just get locked once, it’s wrapped in four separate, uniquely keyed layers. Each key is used only once, checked for accuracy, and verified for integrity before it ever unlocks the next.

Each layer has its own key and random encryption value, nothing is ever reused.
Every layer double-checks its identity and context before decrypting, this prevents mistakes or mix-ups.
Vaults and credentials are fully isolated meaning access to one never exposes another.
Organisation master keys stay sealed in AWS hardware, they’re never exposed to our systems or staff.
Every decryption must pass multiple integrity checks before it succeeds with no shortcuts or silent errors.

In transit: passkey -bound end-to-end

During authentication, the client and server exchange ECDH public keys and derive a short-lived shared secret. Keys live only in memory and are tied to the active authentication session.

1) Verified handshake
Passkey login verifies the user on device. The client and server swap ECDH public keys and derive the shared secret for this session.
2) Memory-only keys
The browser stores its public and private keys only in memory, along with the server’s public key. Nothing is written to local or session storage, so each tab authenticates independently.
3) Ciphertext across the platform
Sensitive requests are encrypted with the derived shared session secret and travel through Vauzy as ciphertext. Inside our isolated AWS data layer, the secure data processor derives the same secret and decrypts to persist or respond — then re-encrypts back to the client.
4) Key rotation every 3 minutes
Sessions for sensitive actions last about three minutes. When renewed, a fresh ECDH key exchange exchange creates new keys and a new shared secret.

Zero-trust, zero storage, zero compromise

End-to-end means what it says: only your device and the secure data processor ever see decrypted information. Everyone — and everything — else just sees ciphertext.

Keys exist only in memory and are never persisted or reused.
Shared secrets are short-lived and regenerated with every authentication.
Encrypted payloads flow through the entire system as ciphertext — services process policies, not secrets.
Session-bound encryption keys link directly to your passkey verification (with user verification enforced).

In transit: locked from end to end

Whenever you log in with your passkey, your device and Vauzy quickly create a shared secret handshake that only they know. This secret lives for just a few minutes, never leaves your device’s memory, and encrypts everything sensitive you send or receive.

1) Secure handshake
When you authenticate with your passkey, your device proves who you are using biometrics, then swaps coded “public keys” with Vauzy. Both sides use these to create a shared secret known only to them for this short session.
2) Memory-only keys
The encryption keys never get written to local storage or cookies, they live only in memory while you’re active. Close the browser tab, and the keys vanish completely. Each tab starts its own secure session.
3) Always encrypted in motion
When you view or update credentials, your browser encrypts the data before it leaves your device. It travels through Vauzy’s systems as scrambled text, even our servers can’t read it. Inside our isolated AWS environment, a secure processor briefly decrypts it only to store or send it back to you.
4) Auto-refreshing keys
Every few minutes, Vauzy automatically performs a new handshake and generates a fresh encryption key. This constant key rotation means even if someone could capture a key, it would already be expired before it could be used.

Zero storage. Zero exposure. Zero chance.

End-to-end encryption means exactly that — only your device and our secure data processor ever see decrypted information. Everything else that touches it, from our APIs to our message buses, only sees encrypted data.

Encryption keys exist only while you’re logged in and disappear when you leave.
New shared secrets are created automatically every few minutes.
All data in motion stays encrypted — our systems can handle it, but can’t read it.
Every encryption key is linked to your biometric-verified passkey session for total identity assurance.

Integrity first: if anything looks off, it won’t open.

Short-lived secrets: keys change often and expire quickly.

We can’t see your secrets: we handle scrambled data, not the actual values.

Hosted on AWS , isolated by default

AWS foundation

Industry-standard reliability and security controls. Our data layer resides in an isolated VPC with tightly scoped ingress/egress.

Encrypted message bus

Internal services communicate via Kafka with SSL/TLS and SASL-SCRAM . No plaintext traffic on the wire.

KMS -protected keys

Organisation keys are wrapped with AWS KMS . Rotation and access are enforced by policy and audited.

We also apply least-privilege IAM , WAF on public edges, private subnets for data services, and continuous backups with encrypted storage.

Runs on AWS. Locked down by default.

AWS foundation

We use Amazon’s cloud. Our data sits in its own private area with tight gates.

Encrypted message bus

Our internal chats between services are encrypted. No plain text on the wire.

Protected keys

Important top-level keys are guarded by AWS and closely tracked.

We use least-privilege access, firewalls, private networks, and encrypted backups.

Additional key security features

Replay protection, by default

Every sensitive request includes a single-use one-time value and a short-lived, timestamped request hash. Replays or late arrivals are automatically rejected and logged.

One-time value enforced per end-to-end session
Expiring hash window prevents stale or delayed replays
Audit entries on violations and integrity failures

Granular access control

Every vault, user, and action in Vauzy has defined permissions. From full account admins down to read-only users, access is granted only where it’s explicitly allowed.

Vault-level role management with four access tiers
Separate billing admin permissions for financial access
Audit and access checks enforced before every credential read or write

Zero-knowledge architecture

Sensitive data is encrypted and decrypted entirely on the client side. By design, vauzy’s infrastructure never has visibility of your passwords, TOTP codes, or vault secrets.

All secrets encrypted before they leave your device
End-to-end encryption ensures servers only handle ciphertext
No plaintext access — not even for our engineers

Full transparent auditing

Every action, from login to credential access, is logged, timestamped, and verifiable. Clients and agencies both see full activity trails for every shared vault.

Track who accessed what, when, and from where
IP-level visibility for all vault activity
Clients see agency actions with anonymized identifiers for transparency and privacy

Passwordless authentication

Vauzy uses modern WebAuthn passkey for secure, phishing-proof login. Your identity is verified through hardware-backed biometrics — no master password required.

FIDO2-compliant passkeys protected by Face ID, Touch ID, or Windows Hello
Private keys never leave your device
No master password to remember, store, or risk leaking

Short-lived encryption sessions

Each authenticated session lasts just three minutes, rotating encryption keys every cycle. This minimizes exposure time and ensures that even active sessions remain tightly contained.

Automatic key rotation tied to passkey validation
Independent re-auth required for sensitive actions
Short-lived credentials eliminate long-standing access windows

Additional key security features

Replay protection

Every request is unique and can only be used once. If anyone tries to resend it, it’s automatically blocked, keeping your data safe from replay attacks.

Each action can only happen once
Old or duplicate requests are automatically rejected

Fine-tuned access control

Control who can see or change credentials down to the vault level. Give teammates the access they need and nothing more.

Different roles for admins, editors, and viewers
Billing access kept completely separate

Zero-knowledge design

Your secrets are encrypted before they ever leave your device. Even Vauzy can’t see your passwords or 2FA codes, only you can decrypt them.

Data stays encrypted end-to-end
We never see or store your plaintext credentials

Transparent activity logs

Every action is tracked and time-stamped. You’ll always know who accessed what and when, across both client and team accounts.

Instant visibility into vault activity
Shared logs build trust between teams and clients

Passwordless login

Forget master passwords. Vauzy uses secure passkeys which are backed by your device’s biometric login, so you can sign in safely without remembering a thing.

Face ID, Touch ID, or Windows Hello supported
No passwords to forget or share

Short-lived sessions

You stay logged in just long enough to work securely. After a few minutes, sensitive actions require a quick re-authentication for added protection.

Automatic timeout after a short window
Fresh verification for sensitive actions

Frequently asked

What if someone steals a database backup?

They only see scrambled data. Without the right keys, it’s useless.

How do you stop repeated requests?

We use one-time numbers and short timers. Copies and late replays get blocked.

Security that scales with you

From single teams to agency–client networks, Vauzy keeps secrets safe without slowing you down.

Start 14 day trial Request a demo

Real security, explained simply.

Simple view

Technical view

Industry standard AES-256-GCM encryption

Implementation safeguards

We lock your data with proven tech

Built-in safety steps

Protected at every layer. Protected on every hop.

Safe when stored. Safe when sent.

Zero-trust, zero storage, zero compromise

Zero storage. Zero exposure. Zero chance.

AWS AWS (Amazon Web Services): A trusted cloud platform used by millions of businesses worldwide. It provides secure, scalable infrastructure, from encrypted storage to network isolation and underpins Vauzy’s hosting, encryption key management, and data protection systems. foundation

Encrypted message bus

KMS AWS KMS (Key Management Service): A secure vault for encryption keys managed by Amazon Web Services. Keys are stored inside tamper-resistant hardware and never leave the service, even we can’t see them. -protected keys

Runs on AWS. Locked down by default.

AWS AWS (Amazon Web Services): A trusted cloud platform used by millions of businesses worldwide. It provides secure, scalable infrastructure, from encrypted storage to network isolation and underpins Vauzy’s hosting, encryption key management, and data protection systems. foundation

Encrypted message bus

Protected keys

Additional key security features

Replay protection, by default

Granular access control

Zero-knowledge architecture

Full transparent auditing

Passwordless authentication

Short-lived encryption sessions

Additional key security features

Replay protection

Fine-tuned access control

Zero-knowledge design

Transparent activity logs

Passwordless login

Short-lived sessions

Frequently asked

Frequently asked

Security that scales with you

Security that scales with you

AWS foundation

KMS -protected keys

AWS foundation