Security at Envshed
We take the security of your secrets seriously. Here's how we protect your data at every layer.
Encryption
- AES-256-GCM encryption at rest for all secret values
- TLS 1.3 encryption for all data in transit
- Encryption keys managed separately from encrypted data
- Unique initialization vector (IV) per secret value
Authentication
- Multi-factor authentication (TOTP) support
- JWT sessions with 24-hour expiration and 30-minute idle timeout
- Account lockout after 5 failed login attempts
- SHA-256 hashed API and service tokens with optional expiration
Audit Logging
- Every read, write, and admin action is logged
- Tamper-proof audit trail with cryptographic hash chaining
- Configurable audit log retention policies
- IP address and user agent tracking for all actions
Infrastructure
- Hosted on Vercel with automatic DDoS protection
- Cloudflare CDN and DNS with WAF protection
- Security headers: HSTS, CSP, X-Frame-Options, and more
- Database access restricted to application servers only
Access Control
- Role-based access control (RBAC) at organization level
- Fine-grained project-level permissions (admin, editor, viewer)
- Per-environment access overrides
- Scoped service tokens for CI/CD with read or read/write permissions
Data Handling
- Full account deletion with data anonymization (GDPR compliant)
- Encrypted database backups with point-in-time recovery
- Secret values are never stored or logged in plaintext
- Configurable data retention policies
Responsible Disclosure
If you discover a security vulnerability, please report it responsibly. We appreciate your efforts in keeping Envshed and our users safe. Please do not disclose the issue publicly until we have had the chance to address it.
Last updated: February 2026