Identity & access management

Credential security that's
architecturally sound

Zero-knowledge credential vault and IAM platform for teams. Role-based access, multi-party approval, structured offboarding — all encrypted client-side before anything leaves your device.

Start free trial Read the architecture
Zero-knowledge AES-256-GCM on every credential
Multi-party approval enforced by architecture, not convention
Role-based access with cryptographic separation
Structured offboarding that mathematically revokes access
Live audit stream with anomaly detection and breach monitoring
SAML SSO, SCIM provisioning, and emergency access
UK-hosted · GDPR compliant · From £3.99/mo
The problem

Why most teams have a credential problem
they don't know about yet

Incident response reveals the same failures at organisation after organisation. None of them are technical — they're architectural.

Shared admin credentials
Three people know the password. Nobody knows who used it last. No audit trail and no way to revoke access for just one of them.
Policy-not-practice revocation
The leaver's access was "revoked" in the ticket. But their credentials still work in the shared vault. The system did the opposite of the policy.
No quorum on sensitive operations
One person can export the vault or add an admin. No second approval required — just trust, and the assumption that it holds.
IAM capabilities

Access management enforced by architecture,
not by convention

Every feature exists because the alternative — "just trust people" — has a known failure mode we've seen in incident response.

Role-based credential access
Assign credentials to roles, not individuals. When someone changes position or leaves, one change revokes or transfers everything they had access to.
Access control
Multi-party approval
Define operations that require two or more approvals before they execute. Adding admins, exporting vault data, modifying billing — all require quorum. Cryptographically enforced.
Privileged access
Structured offboarding
Guided workflow: revoke vault access, rotate shared credentials, transfer ownership of entries, produce an audit record — in the right order, every time.
Offboarding
Live security stream
Every sensitive action appears in a live audit stream with anomaly scoring. Filter, pause, and export for compliance. Retained for 12 months.
Audit & monitoring
Per-entry key derivation
Every credential is encrypted with its own derived key. Compromising one entry — or even the master password — doesn't expose the rest. Most password managers skip this.
Zero-knowledge
Breach alarm
When a breach is detected, HexVault kills all active sessions org-wide, forces credential rotation, and walks administrators through guided recovery. First 15 minutes matter.
Incident response
How it compares

IAM capabilities vs the alternatives

Most password managers were built for individuals and had team features bolted on later. The architecture shows.

Capability HexVault 1Password Teams Bitwarden LastPass
Zero-knowledge encryption✓ Always✗ Server decrypts
Per-entry key derivation
Multi-party approval✓ Cryptographic
Structured offboardingPartialPartialPartial
Breach alarm + org lockdown
UK-hosted option✗ US only✗ US only✗ US only
Starting price (teams)£3.99/mo$7.99/user/mo$4/user/mo$4/user/mo