Every file stored in SBVault is encrypted at rest with industry-standard 256-bit encryption. Each file is protected by a unique per-file key, and those per-file keys are themselves protected under a separate master key — so a compromise of any single key cannot expose your library. All ciphertext is integrity-protected against tampering.
Encrypted files are stored with a US-based enterprise cloud object-storage provider under private access controls. The named provider is part of our subprocessor record — available on request via compliance@sbvault.app.
Important Disclosure: Your regular folders use server-side encryption, not zero-knowledge encryption. This means:
SBVault engineers can technically access your files if required
We can reset your password and restore access to your account
Files are encrypted on our servers, but we hold the encryption keys
For genuinely sensitive content, see Private Vault below — that's the zero-knowledge option.
Private Vault (zero-knowledge encryption, Pro+)
A Private Vault is a special folder where files are encrypted in your browser with a key derived from a passphrase only you know. The server stores opaque ciphertext and cannot decrypt, scan, thumbnail, or share any file inside. Available on Pro plans and above.
• Encryption: Industry-standard 256-bit authenticated encryption performed in your browser; the server only ever sees ciphertext.
• Key derivation: Your master key is derived from your passphrase using a modern, memory-hard key-derivation algorithm tuned to current cryptographic recommendations.
• Recovery: Vault creation generates a one-time recovery phrase, displayed once on your device, that can re-derive your master key if you ever forget your passphrase. There is no server-side reset. If you lose both the passphrase and the recovery phrase, the files are unrecoverable — by design.
• Session: The unwrapped key lives only in your browser's memory and is discarded on inactivity or when you close the tab.
What you give up inside a Private Vault:
No server-side thumbnails (your browser renders them after decryption)
No virus scanning — files are scanned only by your operating system's antivirus on download. Only put files you have already verified as safe into your Private Vault.
No share links — vault files cannot be shared via link
No Julie AI access — Julie cannot summarize or answer questions about vault files
No password reset can recover your files — if you lose both the passphrase and the recovery phrase, the files are permanently unrecoverable
Encryption in Transit
All connections between your device and our servers use HTTPS with modern TLS (TLS 1.2 minimum, TLS 1.3 preferred). HSTS is enforced.
Infrastructure & Hosting
Server Location
Provider: Enterprise-grade US-based cloud infrastructure provider (also listed on the Privacy page as a subprocessor category). Named provider available on request via compliance@sbvault.app
Location: United States data centers (East-coast region)
Jurisdiction: Subject to U.S. data protection laws
Provider compliance: Our infrastructure provider maintains SOC 2 Type II and ISO 27001 attestations for the underlying platform
Network Security
Hardened network perimeter with default-deny firewall policy, intrusion detection, abuse-blocking on authentication endpoints, DDoS mitigation, and automated patching. Specific tool selection rotates as the security landscape evolves and is not published here.
Authentication & Access Control
User Authentication
Password Hashing: Industry-standard slow, salted password-hashing algorithm with per-user salt
Session Management: Short-lived access tokens with rotating refresh tokens
Inactivity Timeout: Inactive sessions are signed out automatically
Two-Factor Authentication: Available for administrator accounts
File Sharing
Share Links: Cryptographically secure random tokens
Password Protection: Optional password for shared links
Expiration: Links can be set to expire
Revocation: Links can be revoked anytime
Malware Scanning
Every file uploaded to SBVault is automatically scanned for malware before it is accepted into your vault. Infected files are rejected.
Privacy-preserving design: We use a layered antivirus approach: a local scanning engine on every upload, plus a trusted multi-engine antivirus partner via a one-way hash of the file — the file content itself is never transmitted to that partner for the hash check.
Backup & Disaster Recovery
Automated Backups
Frequency: Daily automated backups of file storage and database
Retention: Rolling retention with periodic long-term snapshots, sized to support disaster recovery
Encryption: Backups inherit the same at-rest encryption as live storage
Recovery SLA
Data Recovery: Up to 24-hour recovery window
Uptime Target: 99.9% monthly uptime
Incident Response: 1-hour response time for critical issues
Security Monitoring
Continuous infrastructure and application monitoring, centralized security logging, file-integrity monitoring, automated vulnerability scanning, and detailed access logs for all file operations (IP, timestamp, action). Alerts route to on-call security review. Specific tool selection is rotated as the security landscape evolves and is not published here.
Access to Your Data
Who Can Access Your Files?
Honest Disclosure:
You: Full access through your account
SBVault Engineers: Technical access to non-vault files for maintenance/support (encrypted at rest, but keys are server-side). No access to Private Vault files — those are encrypted client-side and we do not hold the keys
AI model provider (Julie subprocessor category): Processes the message text you send to Julie + any file content you explicitly ask her to read in non-vault folders. Our AI partner's API terms commit that API inputs are not used to train their models. No access to Private Vault files. Named provider available on request via compliance@sbvault.app
Law Enforcement: We may be required to provide access under valid legal process (subpoena, warrant). For Private Vault files we can produce only the ciphertext — we have no means to decrypt
Third Parties: No access — we never sell or share your data
What We DON'T Do
We never sell your data
We never scan files for advertising purposes
We never share data with third parties (except as legally required)
We never use your files to train any AI model — neither ours nor our AI partner's. Our AI partner's API terms commit to the same.
Incident Response & Breach Notification
Our commitment: If we confirm a personal-data breach that affects your account, we will notify you without undue delay and no later than 72 hours after confirmation, in line with GDPR Article 33 and U.S. state breach-notification laws. The notice will describe what we know, what we don't yet know, and what we are doing about it.
Our practices for handling security incidents include automated detection and alerting, immediate isolation of affected systems, forensic investigation to determine scope, prompt user notification, and remediation through security patches and improvements. Specific procedural details are deliberately not published — they should not be a roadmap for attackers — but are available on request to compliance@sbvault.app under NDA for enterprise security reviews.
Third-Party Audits
Current Status: We have not yet undergone a third-party security audit. Our practices are aligned with SOC 2 Type II controls — the policies, access controls, change management, monitoring, and incident response described elsewhere on this page are operated to that standard internally. We will discuss scope and timeline for a formal SOC 2 or ISO 27001 report when a customer engagement requires one.
For audit, attestation, or compliance-questionnaire requests, contact compliance@sbvault.app.
Our practices follow:
GDPR — alignment with the principles in Articles 5, 6, 13, 32, 33
CCPA / CPRA — disclosures and consumer rights for California residents
PCI DSS — payment-card data is handled exclusively by our payment processor (PCI Level 1)
Contact Security Team
Found a security vulnerability? Please report it responsibly:
Security Email:support@sbvault.app Response Time: Within 24 hours Disclosure: Coordinated disclosure after fix is deployed