Security architecture

CifraVault is built on a zero-trust security model. Every secret is encrypted at rest and in transit with defence-in-depth controls at every layer.

Zero-Plaintext Architecture

Secret content is never stored in plaintext. Encryption happens before persistence, and decryption happens only at the moment of authorised reveal.

AES-256-GCM Envelope Encryption

Each secret is encrypted with a unique data encryption key (DEK). The DEK itself is encrypted by an AWS KMS master key, creating a two-layer envelope.

AWS Key Management Service

Master keys are managed by AWS KMS within the European Union. Keys never leave the KMS boundary. CifraVault has no access to raw key material.

Automatic Destruction

Secrets are permanently deleted after expiry or burn-after-read reveal. No residual data remains in the database or storage layer.

Access Verification

Every secret reveal requires explicit verification. Choose from multiple OTP channels to match your security requirements.

Multi-Channel OTP

Email, SMS, and TOTP authenticator app. Each channel independently verified. Configurable per secret.

Rate Limiting & Brute Force Protection

Per-plan rate limits, OTP attempt counters, and automatic lockout after failed verification attempts.

One-Time Reveal

Burn-after-read secrets are cryptographically destroyed after the first successful reveal. The link becomes permanently invalid.

Audit & Compliance

Every operation generates an immutable audit record. Full traceability from creation to destruction.

Immutable Audit Trail

Request ID, timestamp, actor identity, action, and outcome recorded for every operation. Logs cannot be modified or deleted during retention period.

EU Data Residency

All data is stored within the European Union. Secrets, encryption keys, and audit logs never leave Europe.

Plan-Based Retention

Audit log retention scales with your plan — from 7 days (Starter) to 365 days (Enterprise). Automatic cleanup after retention period.

What we do and don't claim

AES-256-GCM envelope encryption with AWS KMS

Zero-plaintext storage architecture

Immutable audit logging

OTP verification (email, SMS, TOTP)

EU data residency

API-first design with key authentication

Burn-after-read with automatic destruction

SOC 2 or ISO 27001 certificationNot claimed

Client-side or zero-knowledge encryptionNot claimed

Guaranteed SLA numbersNot claimed