Security Practices

Last Updated: January 7, 2026

Security is at the core of everything we do. This page outlines our security practices, infrastructure, and commitment to protecting your data.

1. Zero-Knowledge Architecture

Passwall uses a zero-knowledge security model where your data is encrypted and decrypted on your device only. We never have access to your unencrypted data.

  • Your master password never reaches our servers
  • Your encryption keys are never transmitted to us
  • We only store encrypted blobs that we cannot decrypt
  • Even our administrators cannot access your vault

Learn more: Read our Security Model documentation →

2. Encryption Standards

2.1 Vault Encryption

  • Algorithm: AES-256-CBC with HMAC-SHA256
  • Key Size: 256 bits for encryption + 256 bits for authentication
  • IV Generation: Cryptographically secure random (CSPRNG)
  • Mode: Encrypt-then-MAC for authenticated encryption

2.2 Key Derivation

  • Primary: PBKDF2-SHA256 with 600,000+ iterations
  • Alternative: Argon2id (memory-hard, GPU-resistant)
  • Key Stretching: HKDF-SHA256 for separate encryption/MAC keys
  • Compliance: OWASP 2023 recommendations, NIST SP 800-132

2.3 Transport Security

  • TLS 1.3: All communications encrypted in transit
  • HSTS: HTTP Strict Transport Security enabled
  • Certificate Pinning: Implemented in mobile apps
  • Perfect Forward Secrecy: Each session uses unique keys

3. Infrastructure Security

3.1 Cloud Infrastructure

  • Hosting: Enterprise-grade cloud providers with high security standards
  • Data Centers: EU-based with physical security and monitoring
  • Geographic Distribution: EU primary, with global redundancy
  • Encryption at Rest: All data encrypted on disk

3.2 Network Security

  • DDoS protection and rate limiting
  • Web Application Firewall (WAF)
  • Intrusion Detection System (IDS)
  • Regular security scanning and monitoring

3.3 Database Security

  • Encrypted at rest (AES-256)
  • Isolated per-tenant schemas
  • Automated backups with encryption
  • Access restricted to authorized personnel only

4. Application Security

4.1 Secure Development

  • Secure coding practices and code reviews
  • Automated security testing in CI/CD pipeline
  • Dependency scanning for vulnerabilities
  • Regular security training for developers

4.2 Authentication & Access Control

  • Multi-factor authentication (MFA) support
  • Biometric unlock on supported devices
  • Role-based access control (RBAC) for teams
  • Session timeout and auto-lock

4.3 Password Security

  • Password strength meter on creation
  • Breach monitoring (Have I Been Pwned integration)
  • Weak password detection and alerts
  • Password reuse detection

5. Security Audits & Testing

5.1 Security Reviews

  • Regular: Internal security reviews and code audits
  • Continuous: Automated vulnerability scanning
  • Planned: Third-party security audits and penetration testing

5.2 Security Testing

  • Web application security testing (OWASP Top 10)
  • Infrastructure security assessment
  • Automated dependency scanning
  • Code security analysis

5.3 Bug Bounty Program

We run a responsible disclosure program. Security researchers who discover vulnerabilities can report them confidentially:

  • Email: security@passwall.io
  • PGP Key: Available on request
  • Response Time: Within 24 hours
  • Rewards: Based on severity (up to $10,000)

6. Incident Response

We have a comprehensive incident response plan:

6.1 Detection

  • 24/7 security monitoring and alerting
  • Automated anomaly detection
  • User-reported issues

6.2 Response

  • Immediate investigation by security team
  • Containment and remediation
  • User notification if affected
  • Root cause analysis and prevention

6.3 Communication

In the event of a security incident:

  • Affected users notified within 72 hours
  • Public disclosure via blog and status page
  • Regular updates until resolved
  • Post-mortem published after resolution

7. Employee Security

7.1 Access Controls

  • Principle of least privilege (minimal access)
  • MFA required for all employee accounts
  • Regular access reviews and audits
  • Immediate revocation upon employee departure

7.2 Training

  • Security awareness training for all employees
  • Specialized training for engineering team
  • Regular phishing simulation exercises

8. Physical Security

  • Data centers with 24/7 physical security
  • Biometric access controls
  • Video surveillance
  • Environmental controls (fire, flood, temperature)

9. Business Continuity

9.1 Backup and Recovery

  • Automated daily backups
  • Geographically distributed backup storage
  • Regular disaster recovery testing
  • 99.9% uptime SLA for paid plans

9.2 High Availability

  • Multi-region deployment
  • Load balancing and auto-scaling
  • Automatic failover
  • Real-time monitoring and alerting

10. Reporting Security Issues

Found a security vulnerability? We appreciate responsible disclosure:

Contact Security Team

  • Email: security@passwall.io
  • Response Time: Within 24 hours
  • Disclosure: Please allow us to fix before public disclosure
  • Recognition: Hall of Fame for responsible researchers

Please do not:

  • Access or modify other users' data
  • Perform destructive testing (DoS attacks, data deletion)
  • Publicly disclose vulnerabilities before we fix them