CredentialFlow
CredentialFlow

The first-access trust layer.
Auditable by design.

CredentialFlow sits where credentials move from issuer to recipient: the moment before SSO, MFA, and device trust take over. Split-trust encryption by default. Zero-knowledge mode available. Every delivery produces tamper-evident proof.

We observe the credential lifecycle because we have to, in order to deliver it correctly. We don't watch what happens after.

TLS 1.3in transit
AES-256at rest
HMAC-SHA256audit chains
7-yearlog retention
Zero plaintextever stored
00 / Architecture

Where we sit in the stack.

CredentialFlow exists for the bootstrap boundary before durable trust is established.

First-access trust establishment and observability: one architecture covering credential delivery to new hires and Help Desk verification before sensitive actions.

01 / Foundation

Our Commitment to Security

Security is our baseline, not a premium feature. Split-trust encryption, zero-knowledge mode, and tenant-level isolation aren't features we added later. They're the foundation. Every organization receives maximum-strength encryption and the same protective controls, regardless of plan.

Built for regulated industries. Available to everyone.

View 3rd Party Trust Center
SOC 2 TYPE II Attested

SOC 2 Type II attested, covering logical access, transmission security, system monitoring, risk management, and availability. Full control mapping available under NDA.

GDPR & CCPA Compliant

Automatic data minimization and configurable retention policies to safeguard personal info.

ISO 27001 Roadmap

ISO 27001 certification on our 2026 roadmap. Controls already aligned.

Aligned with HIPAA

Technical controls aligned with HIPAA requirements. BAA on roadmap.

02 / Infrastructure

Data Residency

All customer data is currently hosted and processed within the United States. We are actively planning expansion to additional global regions to support our international customers' compliance needs.

Hosting & Controls

CredentialFlow runs on Amazon Web Services with AWS WAF and an Application Load Balancer at the perimeter. Multi-layer rate limiting prevents brute force and enumeration. All connections use TLS 1.3. Older protocol versions are rejected at the network edge.

No 3rd-Party Secret Access

We deliver notifications, not secrets. Messaging providers receive routing metadata only. Secret stays encrypted in our environment until single-use retrieval.

Security Architecture

Isolation, layered encryption, and zero-knowledge options work together so one organization's risk never becomes another's.

Tenant-Isolated Encryption

Each organization has unique encryption keys and a cryptographically enforced database boundary. Row-Level Security at the PostgreSQL layer ensures no application-layer bypass can expose another tenant's data.

Dual-Control Split-Trust

Key shares are split between an independent vault and CredentialFlow's infrastructure. Combined only in temporary memory during use.

Zero-Knowledge Mode

Client-side encryption keeps even CredentialFlow blind to the secret when compliance demands it.

Defense-in-Depth

Every API request passes through an independent authentication chain covering identity verification, tenant resolution, role enforcement, and resource ownership, evaluated sequentially. A bypass at any single layer cannot cross tenant boundaries.

Transparent Audit Logging

Cryptographically signed, tamper-evident logs capture the who/what/when for each handoff, visible only to your org.

Retention Failsafe

Delivery tokens are stored only as a cryptographic one-way hash. CredentialFlow cannot retrieve the original value. Multiple failed retrieval attempts trigger automatic purge before the credential can be extracted. Unclaimed secrets expire within 24 hours. Nothing lingers.

CredentialFlow offers three encryption modes:

  1. Standard Dual Control: two key shares unique to your org, held by two independent enterprise key custodians built into every account; neither can decrypt alone.
  2. BYOK: one of the two split-trust shares is yours, hosted in your KMS.
  3. Zero-Knowledge: the dashboard user creates a delivery passphrase; encryption happens in the browser.
03 / Encryption

Encryption Modes

Split-trust dual control is the foundation. BYOK uses your KMS key as one of the two shares. Zero-knowledge layers client-side encryption above the stack.

All three modes are included in every plan, and the layers compose: BYOK and zero-knowledge build on top of dual control, not around it.

Encryption Location
Standard:Server-side
BYOK:Server-side
ZK:Client-side (Browser)
Customer-Managed Key
Standard:
BYOK: (AWS, Azure, GCP)
ZK: (Implicit)
CredentialFlow Can Decrypt?
Standard:Yes (policy)
BYOK:Only with permission
ZK:Never
Operational Recovery
Standard:High
BYOK:High
ZK:None
Enterprise Auditability
Standard:High
BYOK:High
ZK:Medium
Privacy Level
Standard:Strong
BYOK:Strong + Controlled
ZK:Maximum
Full Stack

Maximum protection: all three layers enabled.

Stack split-trust dual control with BYOK key sovereignty and zero-knowledge browser encryption for your strongest possible protection profile.

  • 1Layer 1 · Dual Control. Two key shares unique to your org, held by two independent enterprise key custodians built into every account. Neither alone can decrypt.
  • 2Layer 2 · BYOK. Your KMS holds one of the two shares. Pull your key and all decryption invalidates instantly.
  • 3Layer 3 · Zero-Knowledge. Browser-side encryption with a delivery passphrase, applied at save time. Even with both key shares present, we only see ciphertext. Recipient decrypts before use.
04 / Access Controls

Role-Based Access

Separation of duties enforced at the data layer: each team operates with precisely scoped visibility.

HR Teams

Manage the onboarding pipeline and confirm delivery, without ever touching a credential value.

Can access

Employee names & start dates
Delivery status & timestamps
Reminder scheduling

Cannot access

Credential values
IT configuration

IT Teams

Provision and manage credentials while remaining blind to employee personal information.

Can access

Credential creation & rotation
Encryption mode selection
Delivery confirmation receipts

Cannot access

Employee PII
HR workflow data
Saved credential values

Admins

Control security posture and review the complete audit trail. Credential content stays protected at the encryption layer.

Can access

Security policy configuration
Full immutable audit trail
Role & permission management
Encryption mode enforcement
05 / Monitoring

Continuous Monitoring

Every credential lifecycle event is tracked, signed, and surfaced so your security team always has evidence, not assumptions.

Complete Audit TrailEvery action is timestamped, attributed, and HMAC-SHA256 signed with a per-organization signature chain, independently verifiable and tamper-evident. Retained for 7 years.
Automatic ProtectionRepeated failed retrievals, off-hours access, and enumeration attempts trigger automatic rate-limiting, account lockout, and real-time notification to your security team.
Delivery ConfirmationTimestamped proof of successful retrieval, including device fingerprint and geolocation metadata, is appended to the credential's audit record immediately on access.
Anomaly DetectionMachine-learned baselines flag geographic anomalies, repeat retrieval attempts, and access outside working hours, surfaced as reviewable alerts in your audit dashboard.
06 / Security Review

Common Questions

From compliance teams and security reviewers. Can't find what you need? Contact us

Ready to close the day-zero gap?

Split-trust encryption, tamper-evident audit chains, and zero plaintext storage. Live in your environment in under five minutes.