HexVault is the IAM platform that provably can't read your credentials. Granular RBAC, just-in-time access grants, continuous directory sync, and device posture — all built on end-to-end zero-knowledge encryption. Enterprise control without the enterprise compromise.
Start free — 14 days, no card needed
No card required·Cancel any time·Works for 1 to 100 people
Someone leaves. You disable their account. But the AWS keys, Stripe live key, domain registrar login — they’ve seen all of it. You hope they didn’t copy anything.
HexVault fix
Offboarding workflow. When you remove a member, HexVault shows every credential they accessed in the last 90 days, creates rotation tasks with assignable owners, and revokes their cryptographic key.
02
The problem
Your contractor needed database access for a sprint. You added them two months ago. They’re still in there. You have no log of what they accessed.
HexVault fix
Just-in-time access. Grant temporary folder access for a defined window — 4 hours to 1 week. Expires automatically. Every access is logged. No more manual cleanup.
03
The problem
Your AWS root key hasn’t been rotated since 2021. Three ex-employees have seen your Stripe live key. You know you should fix this but there’s no system for it.
HexVault fix
Rotation enforcement. Set a rotation policy. HexVault tracks which credentials are overdue, who owns them, when last changed. HexGuard surfaces the list every morning.
Zero-knowledge architecture
We cannot read your data. By design.
This is not a privacy policy. It is a mathematical constraint. Without your master password, our database contains nothing useful to anyone.
01 · On your device
Argon2id key derivation
Your master password never leaves your device. Argon2id derives your encryption key locally — memory-hard and significantly more resistant to GPU attacks than standard KDFs. The key is marked non-extractable by your browser.
02 · Per entry
AES-256-GCM encryption
Every credential is encrypted independently with its own derived key. Compromising one entry cannot expose the rest — even with access to the encrypted database.
03 · Server receives
Ciphertext only
We store only encrypted data. There is no architectural path for HexVault — or anyone who breaches us — to read your credentials.
Most IAM tools trust the server with your secrets. HexVault doesn't have that option — the server sees only ciphertext. Every access control decision is enforced at the cryptographic layer, not the policy layer.
Granular RBAC
Read. Write. Admin. Per folder. Per member.
Assign granular permissions to individual members or groups. Restrict access to exactly what each person needs — nothing more. Permissions are enforced server-side before a single byte of ciphertext is returned.
AWS ProductionRESTRICTED
DO
DevOps GroupADMIN
EN
Engineering GroupREAD
AJ
Alex JohnsonWRITE
Just-in-Time Access
Access that expires. Not policies that don't.
Members request temporary access to specific folders with a reason and duration. Admins approve in one click. Access auto-revokes when the timer hits zero. No manual cleanup. No forgotten permissions.
Active grants
SW
Sarah W. → Cloudflare
Read · Incident response
1h 42m
remaining
MK
Mike K. → AWS Production
Write · Deploy v2.4.1
0h 18m
remaining
Directory Sync
Someone leaves. Access gone in 15 minutes.
Connect Google Workspace or Microsoft 365. HexVault polls your directory every 15 minutes and auto-suspends any member who's no longer there. Sessions revoked. Admins notified. No manual offboarding checklist.
See every trusted device across your org — OS, browser, last seen, location. Instantly spot members without 2FA, stale devices, or low security scores. Revoke any device with one click from the admin dashboard.
3
No 2FA
2
No device
18
Healthy
JB
J. BrownHigh risk
TK
T. KhanOK
AES-256
Encryption
15 min
Sync interval
0 sec
JIT grant setup
0 bytes
Plaintext stored
04
ENTERPRISE
Enterprise IAM
THE CONTROLS YOUR CISO WILL ACTUALLY ASK FOR.
Role-based access, just-in-time grants, automatic deprovisioning, and device posture — all operating on a cryptographic foundation that makes server compromise irrelevant.
GRANULAR RBAC
Assign read, write, or admin permissions per folder per user or group. Folder-level access modes — open or restricted. Permissions are enforced server-side: the wrong member simply doesn't receive ciphertext.
JUST-IN-TIME ACCESS
Members request temporary access with a reason and duration. Admins approve in one click. Grants auto-expire — no forgotten permissions, no manual cleanup. Full request and approval trail in the audit log.
DIRECTORY SYNC
Connect Google Workspace or Microsoft 365. HexVault automatically suspends members who leave your directory every 15 minutes — sessions revoked, admins notified. No offboarding checklist required.
Device Posture Dashboard
Every trusted device across your org — OS, browser, last seen, location. One-click admin revoke from the dashboard.
SSO / SAML 2.0
Okta, Azure AD, Google Workspace, and any SAML 2.0 provider. SCIM provisioning for automatic account lifecycle management.
Immutable Audit Log
Every access, change, and approval. Timestamped, tamper-evident, exportable to CSV or your SIEM. Compliance-ready out of the box.
Multi-Party Approval
Destructive actions require quorum approval with time-delay and cancellation windows. No single admin can act unilaterally.
Service Accounts & API Tokens
Machine identities for CI/CD pipelines. Scoped to specific folders. Read-only or read-write. Revokable in one click.
Policy Enforcement
Mandate 2FA, rotation intervals, and minimum password strength. Non-compliance surfaced in the admin dashboard automatically.
Structured Offboarding
Instant org key revocation on departure. Sessions revoked. Former-employee credentials cryptographically worthless in seconds.
Webhooks & SIEM Integration
Signed webhooks for every org event — member join, access granted, credential rotated. Plug into Splunk, Datadog, or any endpoint.
Interested in Enterprise? Let's Talk.
Org vaults, multi-party approval, structured offboarding, SSO, and audit logging. Pricing scales with your team. Get in touch to discuss early access and the product roadmap.
Every other AI security tool answers generic questions. HexGuard queries your real breach data, rotation gaps, and access patterns — then reasons from it. Specific intelligence, not generic advice.
Daily security briefing grounded in your vault state
One-click alert explanation — what happened and what to do
Every plan is fully featured from day one. Whether you're securing your own digital life or your whole team's. Try any plan for 14 days — no card required.
MonthlyAnnual Save 20%
Personal
£3.99/mo
£3.19/mo
Billed annually — save £9.60/yr
14-day free trial
Zero-knowledge encryption, AI security analysis, and breach monitoring. Everything you need — nothing you don't.
HexVault's offboarding workflow shows you every credential that person accessed, creates rotation tasks for each one with assignable owners, and cryptographically revokes their access — all in one step. There's a configurable grace period for knowledge handover, and a final audit record is stored automatically when offboarding completes. Most teams complete a full offboarding in under 10 minutes.
Most teams are fully set up in under an hour. Import from LastPass, 1Password, Bitwarden, or a CSV file. Invite your team by email. Assign folders and roles. No agents to install, no IT project, no consultants required. The browser extension installs in seconds and starts autofilling immediately.
Yes. HexVault generates a one-click PDF compliance report showing your credential security posture — rotation compliance, breach exposure, 2FA coverage across the team, and your security score trend. This is accepted by insurers for cyber liability questionnaires and is suitable for ISO 27001 and Cyber Essentials audits.
Your master password never leaves your device. All encryption happens in your browser using Argon2id + AES-256-GCM before any data is transmitted. HexVault's servers receive only encrypted ciphertext — we have no mathematical ability to read your passwords, even if compelled by a court order or breached by an attacker.
HexVault uses Argon2id with 64 MB of memory per derivation attempt. 1Password uses PBKDF2, and Bitwarden defaults to 19 MB. This makes brute-forcing your master password roughly significantly more expensive per guess on modern GPU hardware. We're also UK-based, fully GDPR-compliant, and our client code is intentionally unminified so you can audit it.
Nothing — this is the core promise of zero-knowledge architecture. A server breach yields only AES-256-GCM ciphertext. Without your master password (which never left your device), decrypting it is computationally infeasible. Your account email and subscription status would be exposed, and we would notify you, but your actual passwords remain safe.
Yes. HexVault supports importing from 1Password, Bitwarden, LastPass, Dashlane, KeePass, and generic CSV. The import runs entirely client-side — your passwords are encrypted on device before upload, so the import itself is zero-knowledge too.
Yes. HexVault Ltd is registered in England and Wales. All data is hosted within the UK and EEA on encrypted volumes. We do not transfer personal data outside the UK/EEA without an adequacy decision or appropriate safeguards. We are registered with the ICO as a data controller.
No credit card required. You get full access to the Personal plan for 14 days, including unlimited password entries, breach monitoring, HexGuard AI, and two-factor authentication. After 14 days you choose a plan — or the free tier continues with limited entries.
Yes. HexVault supports WebAuthn / FIDO2 — Face ID, Touch ID, Windows Hello, and physical hardware keys like YubiKey. These are phishing-resistant by design, scoped to hexvault.co.uk so they cannot be replayed on a fake domain.
Watchtower is HexVault's proactive threat intelligence layer. It cross-references every domain in your vault against live HIBP breach disclosures — if GitHub has a breach and you have GitHub credentials, Watchtower flags it. It also monitors for expiring credentials and detects Content Security Policy violations on your vault session. Available in both the web vault and the browser extension.
The Breach Alarm is a one-button incident response system. When triggered, it instantly terminates every active session across the organisation, fires a webhook to your SIEM, Slack, or PagerDuty, and guides the admin through a guided recovery checklist. Canary trip wires — decoy credentials — auto-trigger the alarm if accessed. Enterprise plans.
Yes. HexVault supports JSON, CSV, and a zero-knowledge encrypted .hvenc export. The .hvenc format stores credentials in their already-encrypted form — useless without your master password, verifiably authentic with it. There's also a Vault Identity Card: a signed attestation of your security posture for compliance submissions.
Press Cmd+K anywhere in the vault. Type to search passwords, notes, or vault actions. Arrow keys navigate, Enter selects, Escape closes. Open entries, trigger the generator, lock the vault, open settings — all from the keyboard without touching the mouse. Also available in the browser extension.
You'll hear from us when HexVault launches. As an early member you'll get founding pricing and a say in what we build next.
256
Bit AES-GCM
0
Data Sold
100%
Zero-Knowledge
Check your inbox for a confirmation from us.
Get in touch
We typically respond within one business day.
This site uses cookies
HexVault uses essential session cookies only — no tracking, no advertising, no third-party analytics. Your vault data is always encrypted and never sold.
Read our privacy policy