Security Architecture

Complete transparency on how we protect your files

← Back to Home

Encryption Model

Encryption at Rest

Every file stored in SBVault is encrypted at rest with industry-standard 256-bit encryption. Each file is protected by a unique per-file key, and those per-file keys are themselves protected under a separate master key — so a compromise of any single key cannot expose your library. All ciphertext is integrity-protected against tampering.

Encrypted files are stored with a US-based enterprise cloud object-storage provider under private access controls. The named provider is part of our subprocessor record — available on request via compliance@sbvault.app.

Important Disclosure: Your regular folders use server-side encryption, not zero-knowledge encryption. This means:
  • SBVault engineers can technically access your files if required
  • We can reset your password and restore access to your account
  • Files are encrypted on our servers, but we hold the encryption keys

For genuinely sensitive content, see Private Vault below — that's the zero-knowledge option.

Private Vault (zero-knowledge encryption, Pro+)

A Private Vault is a special folder where files are encrypted in your browser with a key derived from a passphrase only you know. The server stores opaque ciphertext and cannot decrypt, scan, thumbnail, or share any file inside. Available on Pro plans and above.

Encryption: Industry-standard 256-bit authenticated encryption performed in your browser; the server only ever sees ciphertext.
Key derivation: Your master key is derived from your passphrase using a modern, memory-hard key-derivation algorithm tuned to current cryptographic recommendations.
Recovery: Vault creation generates a one-time recovery phrase, displayed once on your device, that can re-derive your master key if you ever forget your passphrase. There is no server-side reset. If you lose both the passphrase and the recovery phrase, the files are unrecoverable — by design.
Session: The unwrapped key lives only in your browser's memory and is discarded on inactivity or when you close the tab.
What you give up inside a Private Vault:
  • No server-side thumbnails (your browser renders them after decryption)
  • No virus scanning — files are scanned only by your operating system's antivirus on download. Only put files you have already verified as safe into your Private Vault.
  • No share links — vault files cannot be shared via link
  • No Julie AI access — Julie cannot summarize or answer questions about vault files
  • No password reset can recover your files — if you lose both the passphrase and the recovery phrase, the files are permanently unrecoverable

Encryption in Transit

All connections between your device and our servers use HTTPS with modern TLS (TLS 1.2 minimum, TLS 1.3 preferred). HSTS is enforced.

Infrastructure & Hosting

Server Location

Network Security

Hardened network perimeter with default-deny firewall policy, intrusion detection, abuse-blocking on authentication endpoints, DDoS mitigation, and automated patching. Specific tool selection rotates as the security landscape evolves and is not published here.

Authentication & Access Control

User Authentication

File Sharing

Malware Scanning

Every file uploaded to SBVault is automatically scanned for malware before it is accepted into your vault. Infected files are rejected.

Privacy-preserving design: We use a layered antivirus approach: a local scanning engine on every upload, plus a trusted multi-engine antivirus partner via a one-way hash of the file — the file content itself is never transmitted to that partner for the hash check.

Backup & Disaster Recovery

Automated Backups

Recovery SLA

Security Monitoring

Continuous infrastructure and application monitoring, centralized security logging, file-integrity monitoring, automated vulnerability scanning, and detailed access logs for all file operations (IP, timestamp, action). Alerts route to on-call security review. Specific tool selection is rotated as the security landscape evolves and is not published here.

Access to Your Data

Who Can Access Your Files?

Honest Disclosure:
  • You: Full access through your account
  • SBVault Engineers: Technical access to non-vault files for maintenance/support (encrypted at rest, but keys are server-side). No access to Private Vault files — those are encrypted client-side and we do not hold the keys
  • AI model provider (Julie subprocessor category): Processes the message text you send to Julie + any file content you explicitly ask her to read in non-vault folders. Our AI partner's API terms commit that API inputs are not used to train their models. No access to Private Vault files. Named provider available on request via compliance@sbvault.app
  • Law Enforcement: We may be required to provide access under valid legal process (subpoena, warrant). For Private Vault files we can produce only the ciphertext — we have no means to decrypt
  • Third Parties: No access — we never sell or share your data

What We DON'T Do

Incident Response & Breach Notification

Our commitment: If we confirm a personal-data breach that affects your account, we will notify you without undue delay and no later than 72 hours after confirmation, in line with GDPR Article 33 and U.S. state breach-notification laws. The notice will describe what we know, what we don't yet know, and what we are doing about it.

Our practices for handling security incidents include automated detection and alerting, immediate isolation of affected systems, forensic investigation to determine scope, prompt user notification, and remediation through security patches and improvements. Specific procedural details are deliberately not published — they should not be a roadmap for attackers — but are available on request to compliance@sbvault.app under NDA for enterprise security reviews.

Third-Party Audits

Current Status: We have not yet undergone a third-party security audit. Our practices are aligned with SOC 2 Type II controls — the policies, access controls, change management, monitoring, and incident response described elsewhere on this page are operated to that standard internally. We will discuss scope and timeline for a formal SOC 2 or ISO 27001 report when a customer engagement requires one.

For audit, attestation, or compliance-questionnaire requests, contact compliance@sbvault.app.

Our practices follow:

Contact Security Team

Found a security vulnerability? Please report it responsibly:

Security Email: support@sbvault.app
Response Time: Within 24 hours
Disclosure: Coordinated disclosure after fix is deployed

Last Updated: June 25, 2026