SECURITY POLICY

Last Updated: March 2026

1. SECURITY OVERVIEW

VantageVault is built on a foundation of cryptographic principles and security best practices. This policy outlines the technical measures we employ to protect your data.

2. ENCRYPTION ARCHITECTURE

Algorithm: AES-256-Fernet (symmetric encryption)
Key Derivation: PBKDF2-HMAC-SHA256 with 100,000 iterations
Plaintext Password: Never stored, never transmitted, only derived into keys on your device

Your encryption key is derived from your password locally on your machine. Even if our servers were compromised, encrypted data would be mathematically unrecoverable without your password.

3. KEY MANAGEMENT

Key Derivation

When you set a password, it is processed through PBKDF2 with:

Algorithm: HMAC-SHA256
Iterations: 100,000 (prevents brute-force attacks)
Output: 256-bit encryption key for AES-256-Fernet

Recovery Codes

During account creation, you receive a cryptographic recovery code. This code can only be used once to reset your password without losing access to your vault. Store it somewhere safe.

4. SESSION MANAGEMENT

Token Storage: OS Keyring (Windows Credential Manager)
Refresh Interval: Every 45 minutes (silent, automatic)
Location: Never on disk, always in secure storage

Session tokens are stored in your operating system's secure keyring, not as plain files on disk. This prevents unauthorized access even if someone gains file system access.

5. NETWORK SECURITY

TLS/SSL

All communication between your device and our servers is encrypted using TLS 1.3. Man-in-the-middle attacks are prevented through certificate pinning.

Proxy Architecture

All API calls route through a hardened proxy authenticated by a server-side secret. Your Supabase credentials are never exposed to the client binary or network traffic.

6. DATA AT REST

Your encrypted vault data is stored in Supabase PostgreSQL database. The data is:

Already encrypted by your client before transmission
Encrypted again at the database level using AES-256
Replicated across geographically distributed secure servers

7. CLIENT SECURITY

Windows Application

The VantageVault Windows desktop application is built with CustomTkinter and Python. It includes:

All encryption operations performed locally (no server-side encryption)
No telemetry or tracking
Secure memory handling to prevent password leakage
Regular security updates

8. THIRD-PARTY SECURITY

Supabase (Backend): Enterprise-grade security with SOC 2 Type II compliance. Encrypted data only.

HuggingFace (API Proxy): Secure API endpoint with authentication and rate limiting.

9. VULNERABILITY REPORTING

If you discover a security vulnerability, please report it to support@vantagevault.dev with the subject line "SECURITY DISCLOSURE". Please do not publicly disclose the vulnerability until we have had a chance to address it.

10. SECURITY UPDATES

We regularly release security updates and patches. Windows users are notified of updates and can install them directly from the application.

11. COMPLIANCE

VantageVault is designed to be:

GDPR compliant (user data control and deletion rights)
CCPA compliant (privacy and opt-out rights)
End-to-end encrypted (zero-knowledge architecture)

12. SECURITY BEST PRACTICES FOR USERS

Strong Password: Use a unique, complex password. The strength of your encryption depends on password quality.
Recovery Code: Store your recovery code in a safe location separate from your password.
Keep Software Updated: Ensure Windows and VantageVault are up-to-date.
Device Security: Use antivirus software and keep your operating system patched.
Session Management: Log out on shared devices.

13. INCIDENT RESPONSE

In the unlikely event of a security incident:

We immediately investigate and contain the breach
Affected users are notified within 48 hours
We provide guidance on protective measures
A detailed incident report is published

14. CONTACT & QUESTIONS

For security questions or concerns, contact support@vantagevault.dev.