Trust Center

Every claim PassCryp makes about security is verifiable. This page links the artifacts that back the claims: security whitepaper, sub-processors list, GDPR and DPA documentation, incident history, and our roadmap toward third-party audits.

Start your free vault Security model

Published security whitepaper

Full architecture, key derivation parameters, encryption modes, threat model, and known limitations.

Sub-processors list

Every third-party service that processes customer data, with purpose, region, and DPA status.

GDPR + DPA ready

Data Processing Addendum available on Premium and Pro. EU data residency on Pro.

SOC2 Type II in progress

Control set in place, formal audit scheduled for late 2026. Bridge letters on request.

Incident history (or lack of it)

PassCryp has never had a customer-data breach. We'll post incidents publicly within 72 hours if anything changes.

What we publish today

Security whitepaper: full key-derivation parameters (Argon2id with 64 MB memory, 3 iterations, parallelism 1), encryption mode (AES-256-GCM with fresh 96-bit nonces), zero-knowledge architecture, threat model, and explicit known limitations. PDF downloadable from the security page.

Sub-processors list: every third-party service that handles customer data — hosting (Supabase / Cloudflare), email (Resend), payments (Stripe), error monitoring (with redaction), and analytics. Purpose, region, and DPA status for each. Updated within 30 days of any change.

Privacy policy, terms of service, Data Processing Addendum, cookie policy. All in plain language with a translation index if you need legal review.

What's on the compliance roadmap

SOC2 Type II: control set is implemented; readiness assessment complete. Formal audit window opens late 2026 with a Type II report targeted for 2027.

ISO 27001: not on the immediate roadmap. If you require ISO 27001 specifically, 1Password Business or Bitwarden Enterprise are better-positioned today.

Third-party penetration test: one independent pentest per year, results summarized publicly. First report published with the SOC2 Type II.

Incident response posture

Public commitment: any customer-data incident is disclosed within 72 hours of confirmation, with affected scope, root cause, and remediation steps. Status page captures uptime and degraded-service incidents in real time.

Internal posture: on-call rotation, runbooks for the top 20 failure modes, automated alerting for anomalous query patterns, weekly tabletop exercises for the leadership team.

Vulnerability disclosure: security@passcryp.com is monitored 24/7. We acknowledge reports within 24 hours and ship critical fixes within 7 days.

Frequently asked questions

Has PassCryp ever had a breach?

No. Zero-knowledge architecture means a database breach would expose ciphertext only — but we have not had one to begin with.

Are you SOC2 certified?

SOC2 Type II audit is scheduled for late 2026. Control set is implemented today; bridge letters available on request.

Where is my data hosted?

Supabase-managed Postgres on AWS (EU and US regions). EU data residency available on Pro. Cloudflare for CDN and edge compute.

Do you have a DPA?

Yes — included with Premium and Pro. Standard GDPR-compliant Data Processing Addendum, downloadable from the DPA page.

How do I report a security issue?

Email security@passcryp.com. We acknowledge within 24 hours and ship critical fixes within 7 days.

Can I get a copy of your pentest report?

First independent pentest is bundled with the SOC2 Type II rollout in 2026. Earlier informal assessments are available under NDA on request.

Ready to take control of your secrets?

Start a free zero-knowledge vault in under 60 seconds.

Start your free vault