Security Architecture

Enterprise-grade controls across every surface. Encryption you can explain to auditors and engineers alike.

Core Security Principles

Zero-Knowledge

All sensitive payloads are encrypted before they reach storage. We retain ciphertext only — never plaintext in databases, backups, or routine logs.

Ephemeral by Default

One-time secrets are destroyed after viewing by design. That reduces dwell time and limits blast radius if a link leaks.

Defense in Depth

TLS for transport, AES-256-GCM at rest, rate limiting, optional IP gates, structured audit logs, and role boundaries for teams.

Uniform Encryption

The same AEAD primitive protects ephemeral secrets, password vault entries, API vault values, and document payloads — one consistent story for compliance reviews.

Encryption

AES-256-GCM

Authenticated encryption: confidentiality plus integrity. Tampering fails decryption — the same mode trusted for regulated workloads worldwide.

Unique Nonces

Each operation uses a fresh nonce from a CSPRNG so ciphertexts are unlinkable even when plaintext repeats.

In Transit

Modern TLS between clients and our edge. Combined with app-layer encryption, data stays protected end-to-end for your threat model.

What We Encrypt

One-Time Secrets

Payload encrypted with AES-256-GCM. Removed after viewing or 24-hour expiration.

Premium Secrets

Encrypted at rest with optional password hashing, IP allowlisting, and webhook alerts.

Password Manager

Secrets and notes encrypted per entry. Names, URLs, and categories stay plaintext for fast search.

API Key Vault

Each stored value is AEAD-encrypted. Names and environment tags remain readable for automation.

Document Vault

Binary ciphertext for any file type. Filenames and metadata are stored without encryption.

Account Passwords

Login passwords hashed with PBKDF2-SHA256 (Werkzeug). Not reversible — resets issue a new credential.

Infrastructure Security

Secure Cloud

Hosted on enterprise-grade platforms with physical access controls and audited facilities.

Network Isolation

Tiered networking limits lateral movement; data stores are not exposed directly to the public internet.

Patching & Dependencies

Regular security updates with pinned, reviewed dependencies to reduce supply-chain surprises.

Monitoring

Uptime checks, error telemetry, and alerting so incidents surface quickly.

Threat Protection

Rate Limiting

Per-endpoint limits blunt brute-force and scraping without blocking legitimate bursts.

Input Validation

Strict typing and bounds on inputs reduce injection and denial-of-service vectors.

IP Allowlisting

Premium teams can bind retrieval to corporate egress IPs or CIDR ranges.

Password-Protected Secrets

Recipient must prove knowledge of a shared secret; stored verifier is hashed, not recoverable.

Webhook Notifications

Real-time signals when sensitive links open — plug into Slack, Teams, or custom pipelines.

Audit Trail

Each view records time, IP, and user agent for downstream SIEM or compliance exports.

Automatic Cleanup

TTL-driven deletion for free-tier shares and configurable retention for premium — hourly housekeeping removes stale rows.

Security Posture

  • HTTPS enforced for every interactive session
  • Zero-knowledge flows for sensitive payloads
  • NIST-aligned AEAD (AES-GCM) throughout
  • No long-lived plaintext for secrets or vault values
  • RBAC for team-owned assets
  • Seat-based billing aligns access with roster

Responsible Disclosure

If you discover a vulnerability, coordinated disclosure helps everyone. Please:

  • Email contact@auglab.ai
  • Include reproduction steps and impact
  • Allow reasonable time for remediation before public discussion
  • We acknowledge receipt and collaborate on fixes

Bug bounty: Valid findings earn recognition and coordinated publication credit where appropriate.