> HexVault for Enterprise | Team IAM, SSO & Privileged Access Management
Early Access
Enterprise

Zero-knowledge IAM
built for security teams

Granular RBAC, multi-party approval, SIEM integration, and cryptographic offboarding — running on an architecture that provably cannot read your credentials.

Talk to us Start free trial
Platform

What zero-knowledge actually means for your team

Most enterprise password managers claim zero-knowledge. HexVault is architecturally zero-knowledge — credential ciphertext is generated on the client before it reaches our servers. There is no server-side path to read vault contents, because the decryption key never leaves the device. We cannot be subpoenaed for data we don't hold.

Per-entry key derivation via Argon2id + HKDF means even if your organisation's vault database were exfiltrated, individual entries would require independent brute-force attacks. Shared team credentials use envelope encryption with per-member key wrapping — revoking a member's access is immediate and cryptographically complete.

Read the full security architecture →
Features

Everything your security team needs

Multi-Party Approval (MPA)
Destructive actions require quorum approval. Credential deletion, bulk export, member removal — nothing happens with one signature.
Just-in-Time Access
Time-limited access grants with member request flow, admin approval, and automatic expiry. Full audit trail on every temporary grant.
Structured Offboarding
Flags every credential a departing employee accessed, creates rotation tasks, cryptographically revokes access, and sends an audit-ready report.
Breach Alarm
One action kills all member sessions, fires your SIEM webhook, and walks admins through a dynamic incident checklist. Canary credentials auto-trigger on access.
SIEM Webhook
Every security event — logins, credential access, lockouts, MPA actions — POSTed to your SIEM, Splunk, or Datadog endpoint every 60 seconds, HMAC-signed.
Compliance Reports
Generate a 5-page SOC-2 / ISO-27001 style PDF on demand: member roster, controls table, security events, credential access log, and signed executive summary.
SSO / SAML 2.0
Native Okta, Azure AD, and Google Workspace SSO. Configure once, enforce for all members. JIT provisioning support.
IP Allowlist & Geo-Blocking
Restrict vault access to known corporate IP ranges. Enforce geo-blocking by country. Both apply at the session validation layer, not just the UI.
Deployment

Cloud-hosted now.
Self-hosted coming.

HexVault currently runs as a managed cloud service — Docker / Traefik / PostgreSQL on dedicated infrastructure, served via Cloudflare. Self-hosted and on-premise deployment is on the roadmap for organisations that require data residency or air-gapped operation.

Cloud
Managed infrastructure. Zero setup. We handle availability, backups, and updates.
Self-Hosted
Docker Compose deployment on your own infrastructure. Coming soon — contact us to discuss requirements.
Early access

We’re in active early access

HexVault is being used today but is not yet in public launch. Enterprise customers who come in during early access receive founding pricing locked in permanently. We work directly with early enterprise customers to prioritise the features they need.

There will be downtime as we build. We document everything in the changelog, maintain a live status page, and aim for transparent communication about what’s happening and when. If that’s acceptable for your use case right now, we’d like to talk.

Interested in HexVault for your team?

We’re working directly with a small number of early enterprise customers. Get in touch with your use case and we’ll respond within one business day.

Talk to us →