PassCryp is engineered around a single principle: we should never be able to read your data, even if compelled by a third party.
Vault content is encrypted in your browser with AES-256-GCM using a unique 96-bit IV per item. The Data Encryption Key (DEK) is wrapped by a Key Encryption Key derived from your master password using Argon2id (memory-hard, ≥64 MB, ≥3 iterations). Only ciphertext, IVs and titles ever leave your device.
Your master password is never transmitted, logged, or stored — not on our servers, not on disk on your device. It exists only in your browser's memory while your vault is unlocked, and is cleared on lock or sign-out. We cannot reset it for you; that's why we offer a downloadable Recovery Kit.
Application served from Cloudflare's edge network (TLS 1.3). Data stored in managed Postgres (Supabase) with daily encrypted backups and EU primary residency. Production access is limited to a small on-call team using hardware-key MFA, every privileged action is recorded in an immutable audit log, and access is reviewed quarterly.
We monitor for anomalous sign-ins, failed crypto verifications and infrastructure events. If a confirmed breach affects your data, we will notify you within 72 hours of confirmation, in line with GDPR Article 33, with the facts, the likely impact and the steps you should take.
Found a vulnerability? Email security@passcryp.com (PGP key on request). We acknowledge within 48 hours, will not pursue good-faith researchers, and credit reporters who request it. Out-of-scope: spam, social engineering of staff, denial of service.