This page documents HexVault's security posture, compliance status, controls, and data handling practices. Everything here is accurate to what we ship. If you need documentation beyond what is here — a DPA, sub-processor agreement, or security questionnaire response — contact [email protected].
HexVault is a zero-knowledge credential management platform. Our architecture is designed so that a breach of our servers cannot expose your passwords — all vault data is encrypted client-side before transmission. This document covers our security controls, compliance roadmap, and how we handle data on your behalf.
HexVault Ltd is registered in England and Wales and operates under UK GDPR and the Data Protection Act 2018. We act as a data processor for vault credential data (encrypted, unreadable to us) and as a data controller for account and billing data.
The following controls are implemented and verifiable. Client-side encryption controls can be inspected in our unminified source at hexvault.co.uk/security.
| Control area | Implementation | Status |
|---|---|---|
| Encryption at rest | AES-256-GCM per vault entry, client-side. PostgreSQL at-rest encryption for metadata. | ✓ Live |
| Encryption in transit | TLS 1.3 enforced via Cloudflare. HSTS max-age=31536000. | ✓ Live |
| Key derivation | Argon2id, 64 MB memory, 3 iterations, 4 threads. Master password never transmitted. | ✓ Live |
| Authentication | bcrypt cost=12 for auth. TOTP (RFC 6238) with replay protection. WebAuthn/FIDO2. | ✓ Live |
| Session management | HttpOnly/Secure/SameSite=Lax cookies. Server-side session store (Redis). Configurable inactivity timeout. | ✓ Live |
| Access control | Tier-based access control. Org vault cryptographic separation via ECDH key grants. | ✓ Live |
| Audit logging | Credential access log, login events, org membership changes. Team plan and above. | ✓ Live |
| Vulnerability management | Responsible disclosure policy at /security. Patch SLA: critical 7 days, high 30 days. | ✓ Live |
| Rate limiting | Login: 10 attempts/15 min. API endpoints: per-route limits via Redis. Account lockout after threshold. | ✓ Live |
| CSRF protection | Per-session token on all state-changing requests. | ✓ Live |
| Content Security Policy | script-src 'self' — no unsafe-inline scripts. SHA-256 hashes for necessary inline scripts. | ✓ Live |
| Background checks | All personnel with system access are subject to identity verification. | ✓ Live |
| Penetration testing | Third-party independent test scheduled H2 2026. | ◐ Planned |
| SOC 2 audit | Type I engagement planned H2 2026. | ◐ Planned |
| Data category | What we store | Retention |
|---|---|---|
| Vault credentials | AES-256-GCM ciphertext + IV only. We cannot decrypt. | Until account deletion, then within 30 days |
| Secure notes | AES-256-GCM ciphertext only. | Until account deletion, then within 30 days |
| Account data | Email, bcrypt password hash, username, subscription status. | Account lifetime + 30-day deletion window |
| Session data | Encrypted session token (Redis). No vault key stored server-side. | Expires on logout or inactivity timeout |
| IP addresses | Per-session and per-API-request for security monitoring. | 12 months |
| Audit logs | Credential access events, login events, org changes. | 12 months |
| Billing data | Stripe customer ID and subscription ID only. No card data. | Account lifetime + legal requirement (7 years for invoices) |
| Breach check data | 5-char SHA-1 hash prefix only. Full password hash never transmitted. | Not stored — k-anonymity API call only |
Data is hosted in the United Kingdom and the European Economic Area on encrypted volumes. We do not transfer personal data outside the UK/EEA without an adequacy decision or appropriate safeguards.
HexVault uses the following third-party sub-processors. We have Data Processing Agreements in place with each. Customers will be notified of sub-processor changes with 30 days notice.
| Processor | Purpose | Data shared | Country |
|---|---|---|---|
| Stripe | Payment processing and subscription management | Email, billing address, Stripe customer ID | United States (EU SCCs / UK IDTA) |
| Postmark (ActiveCampaign) | Transactional email — password reset, verification, security alerts | Email address, email content | United States (EU SCCs / UK IDTA) |
| Cloudflare | DDoS protection, CDN, DNS | IP addresses, request metadata | United States (EU SCCs / UK IDTA) |
| Have I Been Pwned (HIBP) | Breach monitoring — k-anonymity model only | 5-character SHA-1 hash prefix only — no passwords | United States (no personal data transferred) |
| Sentry (optional) | Error monitoring — disabled for vault operations | Error stack traces, no vault data | United States (EU SCCs / UK IDTA) |
We do not use advertising networks, social media tracking pixels, or analytics sub-processors.
To be notified of sub-processor changes, email [email protected] with subject "Sub-processor notification request".
Enterprise and Team customers requiring a signed Data Processing Agreement (DPA) under GDPR Article 28 can request one by contacting us. Our standard DPA covers:
We respond within 2 business days. Standard DPA available immediately; custom terms negotiable for Enterprise.
An independent third-party penetration test is scheduled for H2 2026, prior to the SOC 2 Type I audit. The test will cover:
Results will be summarised in an executive report available to enterprise customers under NDA. Critical and high findings will be remediated before the report is shared.
In the interim, our client-side encryption code is unminified and publicly inspectable at any time via browser DevTools. See hexvault.co.uk/security for verification instructions.
In the event of a security incident:
To report a security vulnerability, email [email protected]. We acknowledge within 48 hours. See our responsible disclosure policy for full details.
For security and compliance enquiries:
HexVault Ltd · Registered in England and Wales