There is nothing more important to us than keeping your data secure. If you have any questions regarding security please contact us at security@truevault.com. For urgent matters, please call us at 949.777.6774 (it will reach someone on our security team directly).

Communication Protocol

All communication with TrueVault goes through HTTPS. In fact, our API is only available on port 443 via HTTPS and our public websites force HTTPS with HSTS.

Encryption/Decryption

All records are encrypted with 256-bit AES encryption keys as soon as they enter TrueVault’s infrastructure. Every record is encrypted with a unique initialization vector by a unique encryption key to achieve semantic security. TrueVault verifies each record’s integrity on a regular basis and on each record request using a hash-based authentication code (HMAC) calculated using its own unique 256-bit HMAC key. Encryption keys, initialization vectors and HMAC keys are re-keyed and each record re-encrypted on a regular basis.

Network Security and Subsystems

Multiple subsystems combine to power TrueVault. Each subsystem is totally and completely segmented from one another by software and network security rules to maximize protection. TrueVault does not store encrypted records and their encryption keys in the same server cluster. Each subsystem can only be accessed by another subsystem via specific network routes and specific inbound and outbound port rules.

We want to specifically point out the division of responsibilities of our core subsystems:

The API Subsystem - This subsystem handles all incoming HTTPS API requests. As soon as a request comes in, the incoming record is transmitted to the Encryption Subsystem without the record ever leaving the secure memory space. Records are never persisted to disk at any time.

The Encryption Subsystem - This subsystem handles all record encryption and decryption. This cluster of servers requests keys from the Key Management Subsystem and encrypts each record with a unique Initialization Vector, calculates the record’s HMAC, then sends the encrypted binary to the Encrypted File Storage Subsystem. It is critical to note the encryption and decryption keys are never stored in this subsystem and are immediately released from memory as soon as possible. Additionally, this subsystem receives the record without any knowledge of its context, account, or meta data.

The Key Management Subsystem - This subsystem stores the encryption keys, initialization vectors, and HMAC keys for all records in TrueVault. This cluster of servers has no knowledge of how the keys are used. No identifiable information of the records will enter this system.

The Encrypted File Storage Subsystem - This subsystem is used to store encrypted BLOBs. This cluster also has no knowledge of what is being stored. All BLOBs are distributed to at least 3 nodes to ensure high availability.

TrueVault takes pride in engineering a platform that is governed by the highest security standards. We never take shortcuts and we never accept “good enough.”

Disclosure

We aggressively investigate all reported security issues. If you believe you've discovered a bug in TrueVault’s security, please get in touch at security@truevault.com. We guarantee a (non-automated) response within 24 hours, and usually faster. We request that you not publicly disclose the issue until it has been addressed by TrueVault.