Compliance
SyVault is designed to help organizations meet regulatory and compliance requirements for sensitive credential management. This page summarizes SyVault's alignment with major compliance frameworks and details the controls in place.
SOC 2 Type II
SyVault's SOC 2 Type II audit covers the following Trust Service Criteria:
| Criteria | Scope |
|---|---|
| Security | Zero-knowledge encryption, TLS 1.3, Argon2id KDF, per-record DEKs, server-side access controls |
| Availability | Multi-region infrastructure, automated failover, 99.9% uptime SLA |
| Confidentiality | AES-256-GCM encryption at rest and in transit, no server-side plaintext access |
| Processing Integrity | AAD-based domain separation prevents cross-record attacks, ECDSA-authenticated sharing |
The audit scope includes the vault infrastructure (API servers, database, key management), access controls (RBAC, SSO, SCIM), and the encryption pipeline. The SOC 2 report is available to Enterprise customers under NDA.
Because SyVault uses zero-knowledge encryption, SOC 2 auditors verified that the server infrastructure cannot access plaintext vault data -- a stronger assurance than typical SaaS applications.
HIPAA
SyVault supports HIPAA compliance for healthcare organizations that need to manage credentials for systems containing Protected Health Information (PHI).
Key controls:
- Encryption: All vault data is encrypted with AES-256-GCM before it reaches the server. Data at rest in PostgreSQL is encrypted. Data in transit is protected by TLS 1.3.
- Access controls: RBAC with Owner/Admin/Member roles, 2FA enforcement, IP allowlists, and session timeouts.
- Audit logging: Every access and modification event is logged with actor, action, target, timestamp, and IP address. Logs retained for 90 days (or streamed to SIEM for longer retention).
- Business Associate Agreement (BAA): SyVault offers a BAA on Enterprise plans. Contact sales to execute.
A BAA is required before using SyVault to manage credentials for systems containing PHI. Do not store PHI directly in SyVault records -- use it only for credential management.
GDPR
SyVault complies with the General Data Protection Regulation for organizations operating in the European Union:
Data Processing:
- SyVault acts as a Data Processor on behalf of your organization (the Data Controller).
- A Data Processing Agreement (DPA) is available on Business and Enterprise plans.
Right to Erasure (Article 17):
- Users can delete individual records or their entire vault at any time. Deletion is permanent and propagates to all server-side storage within 24 hours.
- Organization owners can delete the entire organization, which removes all member associations, shared folders, audit logs, and encrypted data after a 72-hour cooling-off period.
Right to Data Portability (Article 20):
- Users can export their vault data in encrypted JSON or (if policies allow) plaintext CSV format.
Data Minimization:
- SyVault collects only the minimum data necessary: email address, encrypted vault data, KDF parameters, and wrapped key material. No analytics tracking, no telemetry, no third-party cookies in the vault application.
Data Location:
- By default, all data is stored in US-based infrastructure (AWS us-east-1).
- Enterprise plans can select EU (eu-west-1) or Australia (ap-southeast-2) as the primary data region.
- Data does not leave the selected region.
CCPA
For California-based users and organizations, SyVault complies with the California Consumer Privacy Act:
- Right to Know: Users can request a summary of all personal data SyVault holds (email, account metadata, encrypted vault data).
- Right to Delete: Users can delete their account and all associated data.
- No Sale of Personal Data: SyVault does not sell, share, or monetize user data in any form.
Encryption Summary
| Layer | Algorithm | Notes |
|---|---|---|
| At rest (vault data) | AES-256-GCM | Per-record DEKs, client-side encryption |
| At rest (database) | AES-256 (AWS EBS encryption) | Transparent disk encryption |
| In transit | TLS 1.3 | Minimum TLS 1.2, TLS 1.3 preferred |
| Key derivation | Argon2id (64 MiB, 3 iter, 4 lanes) | Password to Master Key |
| Key separation | HKDF-SHA256 | Domain-separated auth and encryption keys |
| Key exchange (sharing) | ECDH P-256 + HKDF | Ephemeral keypairs for forward secrecy |
| Signatures | ECDSA P-256 | Authenticated sharing envelopes |
Penetration Testing
SyVault undergoes annual third-party penetration testing covering the API surface, web application, browser extension, and mobile clients. The most recent assessment found no critical or high-severity vulnerabilities. Summary reports are available to Enterprise customers.
If your compliance team needs documentation beyond what is listed here -- audit reports, architecture diagrams, or completed questionnaires (SIG, CAIQ, HECVAT) -- contact security@syvault.com.