Compliance
Vaulted is not a compliance platform, but its zero-knowledge architecture aligns with the security controls required by major compliance frameworks.
Zero-knowledge by design
Vaulted encrypts every secret in your browser before any data leaves your device. The server stores only ciphertext and metadata. We never see your plaintext, and we have no mechanism to decrypt it. This is not a policy — it is an architectural constraint.
No data to breach
Secrets auto-delete when the view limit is reached or the expiration passes. There are no user accounts, no IP logs, and no analytics on secret content. A complete server compromise yields encrypted blobs with no corresponding keys.
Framework alignment
SOC 2 Type II
SOC 2 requires controls around confidentiality and security of customer data. Vaulted supports this through client-side AES-256-GCM encryption (the server never sees plaintext), automatic deletion on view limit or expiry, and no persistent storage of sensitive data beyond the configured TTL.
- CC6.1 — Encryption of data in transit and at rest
- CC6.7 — Restriction of data transmission to authorized parties
- CC6.5 — Secure disposal of confidential data
HIPAA
HIPAA requires that electronic protected health information (ePHI) is transmitted securely. While Vaulted is not a covered entity, its zero-knowledge architecture means credentials shared via Vaulted are encrypted before leaving the browser. The server never has access to the plaintext, and secrets auto-delete after use.
- §164.312(a)(1) — Access control via view limits and expiration
- §164.312(e)(1) — Transmission security via client-side encryption
- §164.312(c)(1) — Integrity controls via authenticated encryption (GCM)
GDPR
GDPR requires data minimization and purpose limitation for personal data. Vaulted collects no user accounts, no IP logs, and no analytics on secret content. Secrets are automatically deleted on view limit or expiry — there is no long-lived personal data to manage, export, or delete.
- Art. 5(1)(c) — Data minimization: no accounts, no IP logging
- Art. 5(1)(e) — Storage limitation: automatic TTL-based deletion
- Art. 32 — Security of processing: AES-256-GCM encryption
ISO 27001
ISO 27001 Annex A requires cryptographic controls and secure information transfer. Vaulted uses AES-256-GCM (NIST SP 800-38D) with keys that never leave the browser. The zero-knowledge architecture means a complete server compromise yields only encrypted ciphertext.
- A.10.1.1 — Cryptographic controls: AES-256-GCM via Web Crypto API
- A.13.2.1 — Secure information transfer: zero-knowledge architecture
- A.8.3.2 — Disposal of media: automatic secret deletion on expiry
A note on compliance
Compliance depends on your full technology stack and organizational controls — no single tool can make you compliant. Vaulted provides a strong cryptographic foundation for secure credential sharing, but you should evaluate it as part of your broader compliance program. For details on how the encryption works, see the security page.