[{"data":1,"prerenderedAt":92},["ShallowReactive",2],{"security":3},{"id":4,"title":5,"body":6,"description":7,"extension":8,"meta":9,"navigation":10,"path":12,"sections":13,"seo":62,"stem":65,"transparency":66,"__hash__":91},"security\u002F3.security.yml","Security architecture",null,"CifraVault is built on a zero-trust security model. Every secret is encrypted at rest and in transit with defence-in-depth controls at every layer.","yml",{},{"icon":11},"i-lucide-shield","\u002Fsecurity",[14,30,46],{"title":15,"description":16,"features":17},"Zero-Plaintext Architecture","Secret content is never stored in plaintext. Encryption happens before persistence, and decryption happens only at the moment of authorised reveal.",[18,22,26],{"name":19,"description":20,"icon":21},"AES-256-GCM Envelope Encryption","Each secret is encrypted with a unique data encryption key (DEK). The DEK itself is encrypted by an AWS KMS master key, creating a two-layer envelope.","i-lucide-lock-keyhole",{"name":23,"description":24,"icon":25},"AWS Key Management Service","Master keys are managed by AWS KMS within the European Union. Keys never leave the KMS boundary. CifraVault has no access to raw key material.","i-lucide-key-round",{"name":27,"description":28,"icon":29},"Automatic Destruction","Secrets are permanently deleted after expiry or burn-after-read reveal. No residual data remains in the database or storage layer.","i-lucide-trash-2",{"title":31,"description":32,"features":33},"Access Verification","Every secret reveal requires explicit verification. Choose from multiple OTP channels to match your security requirements.",[34,38,42],{"name":35,"description":36,"icon":37},"Multi-Channel OTP","Email, SMS, and TOTP authenticator app. Each channel independently verified. Configurable per secret.","i-lucide-shield-check",{"name":39,"description":40,"icon":41},"Rate Limiting & Brute Force Protection","Per-plan rate limits, OTP attempt counters, and automatic lockout after failed verification attempts.","i-lucide-shield-alert",{"name":43,"description":44,"icon":45},"One-Time Reveal","Burn-after-read secrets are cryptographically destroyed after the first successful reveal. The link becomes permanently invalid.","i-lucide-flame",{"title":47,"description":48,"features":49},"Audit & Compliance","Every operation generates an immutable audit record. Full traceability from creation to destruction.",[50,54,58],{"name":51,"description":52,"icon":53},"Immutable Audit Trail","Request ID, timestamp, actor identity, action, and outcome recorded for every operation. Logs cannot be modified or deleted during retention period.","i-lucide-scroll-text",{"name":55,"description":56,"icon":57},"EU Data Residency","All data is stored within the European Union. Secrets, encryption keys, and audit logs never leave Europe.","i-lucide-map-pin",{"name":59,"description":60,"icon":61},"Plan-Based Retention","Audit log retention scales with your plan — from 7 days (Starter) to 365 days (Enterprise). Automatic cleanup after retention period.","i-lucide-calendar-clock",{"title":63,"description":64},"Security","Zero-trust architecture with AES-256-GCM envelope encryption, AWS KMS key management, immutable audit trail, and EU data residency.","3.security",{"title":67,"claims":68},"What we do and don't claim",[69,72,74,76,78,80,82,84,87,89],{"label":70,"status":71},"AES-256-GCM envelope encryption with AWS KMS","verified",{"label":73,"status":71},"Zero-plaintext storage architecture",{"label":75,"status":71},"Immutable audit logging",{"label":77,"status":71},"OTP verification (email, SMS, TOTP)",{"label":79,"status":71},"EU data residency",{"label":81,"status":71},"API-first design with key authentication",{"label":83,"status":71},"Burn-after-read with automatic destruction",{"label":85,"status":86},"SOC 2 or ISO 27001 certification","not-claimed",{"label":88,"status":86},"Client-side or zero-knowledge encryption",{"label":90,"status":86},"Guaranteed SLA numbers","vekt9oe3OWenqUjrgBs9RV4H3qwlkWjo5wRaAFnUsIE",1775813738977]