VVault SecurityEnterprise-grade security, SOC 2 ready
1 (650) 555-0218
Request demo
Security + trust

The security platform held to the highest standard — its own.

Vault is FedRAMP Moderate authorized, SOC 2 Type II audited, ISO 27001 + 27017 + 27018 certified, HIPAA-aligned + HITRUST r2 certified, and PCI-DSS Level 1 compliant. We publish auditor reports + the security architecture.

Trust portalStatus

Quarterly external pentest · monthly internal red-team · zero critical findings in last 8 quarters · public bug bounty since 2019

Trusted with:SOC 2 Type IIISO 27001FedRAMP ModerateHIPAA + HITRUST r2PCI-DSS Level 1
Trust + security architecture overview
Live · 24/7 SOC
99.99% uptime, 12mo trailing
Active compliance attestations
SOC 2 Type II
Annual · public report
ISO 27001 + 27017 + 27018
Multi-cert
FedRAMP Moderate
Authorized 2024
HIPAA + HITRUST r2
BAA included
PCI-DSS Level 1
Service provider
The trust pillars

What you can verify, audit, and constrain

The trust posture is set up so customers can verify our claims, audit the architecture, and constrain Vault’s access in production environments. Nothing is taken on faith.

Single-tenant deployment

On request: Vault deployed in your VPC, your control plane, your encryption keys. Same product, isolated infrastructure. Used by 38% of Fortune 50 customers.

Customer-managed keys

BYOK + HYOK supported. Vault never sees decrypted customer data. Key revocation severs Vault’s access in real time.

Zero customer data in models

ML detection models train on synthetic data + customer-aggregated signals (with consent). No customer-specific data ever leaves your tenant.

FedRAMP Moderate authorized

FedRAMP Moderate authorized as a service · NIST 800-53 Rev 5 controls. Available in AWS GovCloud + Azure Gov.

Continuous penetration testing

Quarterly external pentest + monthly internal red-team. Reports available under NDA. Last 8 quarters: zero critical findings.

Vulnerability disclosure program

Public bug bounty since 2019. Median time-to-fix: 6 days for critical, 14 days for high. Hall-of-Fame at vault.security/security/researchers.

Architecture

Read-only by default. Single-tenant available.

The standard deployment is multi-tenant in our cloud. Single-tenant deployments — in your VPC, your control plane, your keys — are available for customers under stricter regulatory constraints.

  • Read-only by default
    Vault asks for the minimum permissions needed. Read-only API access for posture; write permissions are scoped + auditable, requested per use case.
  • No agent debt
    eBPF-based runtime detection where supported, agentless everywhere else. Most customers run Vault with zero installed agents on production.
  • Defense in depth
    Vault’s own platform is a Vault customer — we run our own scans against ourselves continuously, with results published in the trust portal.
Vault architecture diagram with data flow
Security architecture

The cryptography. Public, auditable, peer-reviewed.

All cryptographic implementations are public. The Vault threat model + cryptographic architecture documents are linked from the trust portal — peer-reviewed every two years by an external cryptography firm.

threat-model-summary.md
# Vault Cryptographic Architecture · v3.4

## Data at rest
  Customer evidence + findings: AES-256-GCM, customer-managed keys (BYOK)
  Vault platform metadata:    AES-256-GCM, AWS KMS HSM-backed
  Backups:                    AES-256-GCM, distinct keyset, weekly rotation

## Data in transit
  External APIs:    TLS 1.3 only · ECDHE-secp384r1 · AES-256-GCM
  Service mesh:     mTLS · short-lived certs (1h)
  Customer probes:  TLS 1.3 + cert pinning + signed JWTs

## Key management
  HSMs:             FIPS 140-2 Level 3 · AWS CloudHSM (West/East/Gov)
  Customer keys:    BYOK + HYOK · zero-knowledge access by default
  Key rotation:     90-day automatic for platform · customer-controlled BYOK

# Audited by Trail of Bits · Q1 2026 · zero critical findings
Trust portal

Real reports. Not claims.

The trust portal has SOC 2 Type II reports, ISO certificates, FedRAMP authorization letters, pentest summaries, and the cryptographic architecture document. Most material is downloadable under NDA in 1-click.

  • SOC 2 Type II reports — annual
    Most recent: Q3 2025. Available under NDA in 1-click. Two prior years are also available on request.
  • Pentest summary reports
    Quarterly external pentest summaries. Last 8 quarters publicly indexed. Detailed findings under NDA.
  • Cryptographic architecture (peer-reviewed)
    Audited by Trail of Bits, Q1 2026. Architecture document + threat model + key management policy. Public PDF.
Auditors using the Vault Trust Portal
Procurement support

Talk to security engineering, not just sales.

If you’re evaluating Vault for a regulated workload, our security engineering team will walk you through the architecture, run the threat model with your team, and help you scope the deployment for your compliance regime. No salespeople in the room.

  • Walk through the threat model + cryptographic architecture
  • Map our controls to your audit framework
  • 30-60 minutes · security engineering on the call
Schedule a security review
Available slots · this week
Tue · 10:00 AM PTPick
Tue · 2:00 PM PT30 min
Wed · 9:00 AM PT30 min
Thu · 1:00 PM PT30 min
Fri · 11:00 AM PT30 min
Get ProposalInstant SEO Audit