Legal

Data Processing Addendum

The terms under which Vaultneur acts as your data processor, including sub-processors and security measures.

Effective 22 May 2026

Effective date: 22 May 2026

Update Notice

This Data Processing Addendum ("DPA") has been updated to reflect changes to Vaultneur's service architecture and sub-processors. The main changes from the previous version are:

Infrastructure & sub-processors

  • Migration of our hosting infrastructure to Supabase (authentication, database and storage).
  • Removal of Amazon Web Services, UpCloud, Twilio and Mailtrap as sub-processors.
  • Addition of Supabase and RevenueCat as sub-processors.

Service architecture

  • Adoption of a zero-knowledge encryption model: your data is encrypted on your device before it reaches our servers, and we do not hold any key that can decrypt it.
  • Encryption performed using AES-256-GCM, with keys derived using PBKDF2-SHA256 (310,000 iterations).

These changes are intended to strengthen the protection of your data while maintaining compliance with applicable data protection laws, including the GDPR, CCPA/CPRA, POPIA and the UK Data Protection Act 2018.

Please review Schedule 1 (Description of Transfer) and Schedule 2 (Technical and Organizational Measures), as these contain the most significant updates.


Agreement

In order that you as a service user and data controller (referred to as "Controller" or "User") may use or continue to use our zero-knowledge encrypted vault services ("Services") offered by us, Vaultneur PTY LTD of Pretoria, Gauteng, South Africa, and data processor (referred to as "Vaultneur" or "Processor"), you agree that certain Personal Data you submit as part of your use of our Services and these data processing terms ("Terms") shall apply (notwithstanding any other terms and conditions applicable to the delivery of the Services to the contrary) in order to address the compliance obligations imposed upon Vaultneur and its Users pursuant to Applicable Law.

Definitions

"Affiliate" means an entity that, directly or indirectly, controls, is controlled by, or is under common control with a Party. As used herein, "control" means the power to direct the management or affairs of an entity and the beneficial ownership of fifty percent (50%) or more of the voting equity securities or other equivalent voting interests of an entity.

"Applicable Law(s)" means all US, UK, and EU laws, regulations, and other legal or regulatory requirements relating to privacy, data protection/security, or the Processing of Personal Data applicable to Vaultneur's performance of its services under the Agreement, including without limitation the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. ("CCPA") as amended by the California Privacy Rights Act of 2020 ("CPRA"), Protection of Personal Information Act ("POPIA") including any implementing regulations, the United Kingdom Data Protection Act 2018, and the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR").

"User Contact Data" means the User's contact information.

"User Personal Data" means User Data, as defined in the Agreement, consisting of Personal Data, except for User Contact Data.

"EEA" means, for purposes of this DPA, the European Economic Area (which is composed of the member states of the European Union), Norway, Iceland, Liechtenstein, and Switzerland.

"EU SCCs" means the Standard Contractual Clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in Section 9.

"Personal Data Breach" means the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to User Personal Data.

"Personal Data" includes "personal data," "personal information," and "personally identifiable information," each as defined by Applicable Law.

"Process" and "Processing" mean any operation or set of operations performed on Personal Data, or on sets of Personal Data, whether or not by automated means, such as collecting, recording, organizing, creating, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing (by transmission, dissemination or otherwise making such data available), aligning or combining, restricting, erasing, or destroying such Personal Data.

"Standard Contractual Clauses" means the EU SCCs or the UK SCCs, as applicable.

"UK SCCs" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, available as of the Effective Date at the ICO website and completed as described in Section 9.

Relationship of the Parties

User is the Controller as defined under Applicable Laws, and User determines the means and purposes for which User Personal Data is Processed by Vaultneur. To the extent Vaultneur Processes User Personal Data subject to Applicable Laws, Vaultneur is a Processor and Service Provider as defined under Applicable Laws, and Vaultneur will Process the User Personal Data according to the instructions set forth in this DPA, the Agreement, and as required under Applicable Laws.

Note on our zero-knowledge architecture: Our Services encrypt User Personal Data on your device before it is transmitted to our infrastructure. We do not hold the cryptographic keys needed to decrypt your vault data and cannot access its plaintext content. This means that although we store and process encrypted data, metadata and account information, we cannot read the actual content of the documents and records you store.

User and Vaultneur are independent Controllers, as defined under Applicable Laws, with respect to User Contact Data. Either Party may Process User Contact Data as necessary for the purpose of (i) carrying out its obligations under the Agreement, (ii) applicable legal or regulatory requirements, (iii) requests and communications with the other Party, (iv) administrative, business, and marketing purposes, and (v) to protect its respective rights in accordance with applicable law and, in the case of Vaultneur, maintaining the security and integrity of the Services.

Vaultneur hereby certifies that it understands the restrictions and obligations set forth in this DPA in relation to its role as a Processor and Service Provider, and that it will comply with them.

User's Instructions to Vaultneur

Purpose limitation

Vaultneur will not:

  • sell or share (as defined by CCPA) User Personal Data;
  • Process User Personal Data for any purpose other than for the specific purposes set forth in the Agreement;
  • retain, use, or disclose any such data outside of the direct business relationship between the Parties;
  • combine any User Personal Data with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with a consumer, except as otherwise permitted by Applicable Law; or
  • otherwise engage in any Processing of User Personal Data beyond that in which a Processor may engage under the Applicable Law or in which a Service Provider may engage under the Applicable Law, unless obligated to do otherwise by Applicable Law. In such a case, Vaultneur will inform User of the applicable legal obligation before engaging in the Processing, unless legally prohibited from doing so.

Further details regarding Vaultneur's Processing operations are set forth in Schedule 1. To the extent User discloses or makes available deidentified data (as such term is defined under Applicable Law) within the User Data to Vaultneur, Vaultneur shall not attempt to re-identify such data.

Note on zero-knowledge limitations: Because of our zero-knowledge architecture, we cannot access, read or process the plaintext content of your encrypted vault data. Our processing is limited to encrypted data, file metadata (such as file size, timestamps and record type), account information and operational system data.

Lawful instructions

User will not instruct Vaultneur to Process User Personal Data in violation of Applicable Law. Vaultneur will without undue delay inform User if, in Vaultneur's opinion, an instruction from User infringes Applicable Law. The Agreement, including this DPA, constitutes User's complete and final instructions to Vaultneur regarding the Processing of User Personal Data, including for purposes of the Standard Contractual Clauses. User shall also have the right to take reasonable and appropriate steps to stop or remediate any unauthorized Processing of User Personal Data by Vaultneur.

Limitations on Disclosure

Vaultneur will not disclose User Personal Data to any third party without first obtaining User's written consent, except as provided in Section 5, Section 7 or Section 9, except as required by law. Vaultneur will require all employees, contractors, and agents who Process User Personal Data on Vaultneur's behalf to protect the confidentiality of the User Personal Data and to comply with the other relevant requirements of this DPA.

Note: Given our zero-knowledge architecture, we are technically unable to disclose the plaintext content of your encrypted data, as we do not hold the keys required to decrypt it.

Subcontracting

Sub-processors

Vaultneur may subcontract the collection or other Processing of User Personal Data only in compliance with Applicable Law and any additional conditions for subcontracting set forth in the Agreement. User acknowledges and agrees that Vaultneur's Affiliates and certain third parties may be retained as sub-processors to Process User Personal Data on Vaultneur's behalf (under this DPA as well as under the Standard Contractual Clauses, if they apply) in order to provide the Services.

Vaultneur's third-party sub-processors are:

  • Supabase — authentication, database and storage infrastructure;
  • RevenueCat — subscription and entitlement management.

Prior to a sub-processor's Processing of User Personal Data, Vaultneur will impose contractual obligations on the sub-processor substantially the same as those imposed on Vaultneur under this DPA to the extent applicable to the nature of the services provided by such sub-processor. Vaultneur remains liable for its sub-processors' performance under this DPA to the same extent Vaultneur is liable for its own performance.

Notification

Vaultneur will provide Users with at least ten (10) days' written notice of new sub-processors before authorizing such sub-processor(s) to Process User Personal Data in connection with the provision of the Services. Vaultneur will notify User at the email address provided in the signature block of this DPA for purposes of this notification. The sub-processor agreements to be provided under Section 5(j) of the EU SCCs may have all commercial information, or provisions unrelated to the EU SCCs, redacted prior to sharing with User, and User agrees that such copies will be provided only upon written request.

Right to object

User may object to Vaultneur's use of a new sub-processor on reasonable grounds relating to the protection of User Personal Data by notifying Vaultneur promptly in writing within ten (10) business days after receipt of Vaultneur's notice in accordance with the mechanism set out in Section 5.2. In its notification, User will explain its reasonable grounds for objection. In the event User objects to a new sub-processor, Vaultneur will use commercially reasonable efforts to make available to User a change in the Services or recommend a commercially reasonable change to User's configuration or use of the Services to avoid Processing of User Personal Data by the objected-to new sub-processor without unreasonably burdening User. If Vaultneur is unable to make available such change within a reasonable period of time, which will not exceed thirty (30) days, either Party may terminate without penalty the Processing of User Personal Data and/or the Agreement with respect only to those services which cannot be provided by Vaultneur without the use of the objected-to new sub-processor by providing written notice to the other Party.

Assistance and Cooperation

Security

Vaultneur will provide reasonable assistance to User regarding User's compliance with its security obligations under Applicable Law relevant to Vaultneur's role in Processing User Personal Data, taking into account the nature of Processing and the information available to Vaultneur, by implementing the technical and organizational measures set forth in Schedule 2, without prejudice to Vaultneur's right to make future replacements or updates to the measures that do not materially lower the level of protection of User Personal Data. Vaultneur will ensure that the persons Vaultneur authorizes to Process the User Personal Data are subject to written confidentiality agreements or are under an appropriate statutory obligation of confidentiality no less protective than the confidentiality obligations set forth in the Agreement.

Personal Data Breach notification & response

Vaultneur will comply with the Personal Data Breach-related obligations directly applicable to it under Applicable Law. Taking into account the nature of Processing and the information available to Vaultneur, Vaultneur will inform User of a substantiated Personal Data Breach without undue delay or within the time period required under Applicable Law, and in any event no later than seventy-two (72) hours following such substantiation.

Note on the effect of encryption in a breach: Where a breach involves encrypted User Personal Data, the risk to data subjects is significantly reduced by our zero-knowledge architecture. Encrypted data accessed without the corresponding decryption keys (which Vaultneur does not hold) remains protected by AES-256-GCM encryption.

Vaultneur will notify User at the email address provided in the signature block of this DPA for purposes of Personal Data Breach notifications. Any such notification is not an acknowledgement of fault or responsibility. This notification will include Vaultneur's then-current assessment of the following information, to the extent available, which may be based on incomplete information:

  • the nature of the Personal Data Breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of User Personal Data records concerned;
  • the likely consequences of the Personal Data Breach; and
  • measures taken or proposed to be taken by Vaultneur to address the Personal Data Breach, including, where applicable, measures to mitigate its possible adverse effects.

Vaultneur will provide timely and periodic updates to User as additional information regarding the Personal Data Breach becomes available. User is solely responsible for complying with legal requirements for incident notification applicable to User and fulfilling any third-party notification obligations related to any Personal Data Breach. Nothing in this DPA or in the Standard Contractual Clauses will be construed to require Vaultneur to violate, or delay compliance with, any legal obligation it may have with respect to a Personal Data Breach or other security incidents generally.

Data Subject Requests

To the extent legally permitted, Vaultneur will without undue delay notify User if Vaultneur receives any request from an individual seeking to exercise any right afforded to them under Applicable Law regarding their Personal Data (a "Data Subject Request"). To the extent User, in its use of the Services, does not have the ability to address a Data Subject Request, Vaultneur will, upon User's request, take commercially reasonable efforts to assist User in responding to such Data Subject Request, to the extent Vaultneur is legally permitted to do so and the response to such Data Subject Request is required under Applicable Law.

Note on zero-knowledge implications: Because of our zero-knowledge design, we cannot access, retrieve, modify or delete the plaintext content of your encrypted vault data without your cooperation, as we do not hold the decryption keys. Requests that require access to or modification of vault content must be carried out through your own account using your authentication credentials.

DPIAs and Consultation with Authorities

Upon User's written request, Vaultneur will provide User with reasonable cooperation and assistance as needed and appropriate to fulfill User's obligations under Applicable Law to carry out a data protection impact assessment related to User's use of the Services. Vaultneur will provide reasonable assistance to User in the cooperation or prior consultation with the Supervisory Authority (as defined under the GDPR) in the performance of its tasks relating to the data protection impact assessment, and to the extent required under the Applicable Law.

International Data Transfers

User authorizes Vaultneur and its sub-processors to make international transfers of the User Personal Data in accordance with this DPA so long as Applicable Law for such transfers is respected.

With respect to User Personal Data transferred from the EEA, the EU SCCs will apply and form part of this DPA, unless the European Commission issues updates to the EU SCCs, in which case the updated EU SCCs will control. Undefined capitalized terms used in this provision will have the meanings given to them (or their functional equivalents) in the definitions in the EU SCCs. For purposes of the EU SCCs, they will be deemed completed as follows:

  • Where User acts as a Controller and Vaultneur acts as User's Processor with respect to User Personal Data subject to the EU SCCs, Module 2 applies.
  • Where User acts as a Processor and Vaultneur acts as User's sub-processor with respect to User Personal Data subject to the EU SCCs, Module 3 applies.
  • Section 7 (the optional docking Section) is not included.
  • Under Section 9 (Use of sub-processors), the Parties select Option 2 (General written authorization). The initial list of sub-processors is set forth at Section 5. Vaultneur will provide notice of updates to that list at least ten (10) business days in advance of any intended additions or replacements of sub-processors, in accordance with Section 5 of this DPA.
  • Under Section 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body is inapplicable.
  • Under Section 17 (Governing law), the Parties select Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The Parties select the law of Ireland.
  • Under Section 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland.
  • Annexes I and II of the EU SCCs are set forth in Schedule 1 below.
  • Annex III of the EU SCCs (List of sub-processors) is inapplicable.
  • By entering into this DPA, the Parties are deemed to be signing the EU SCCs.

With respect to User Personal Data transferred from the United Kingdom for which the law of the United Kingdom (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCCs form part of this DPA and take precedence over the rest of this DPA as set forth in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs, in which case the updated UK SCCs will control. Undefined capitalized terms used in this provision will have the meanings given to them (or their functional equivalents) in the definitions in the UK SCCs. For purposes of the UK SCCs, they will be deemed completed as follows:

  • Table 1 of the UK SCCs: The Parties' details are the Parties and their affiliates to the extent any of them is involved in such transfer, including those set forth in Schedule 1. The Key Contacts are the contacts set forth in Schedule 1.
  • Table 2 of the UK SCCs: The Approved EU SCCs referenced in Table 2 are the EU SCCs as executed by the Parties pursuant to this Addendum.
  • Table 3 of the UK SCCs: Annex 1A, 1B, and II are set forth in Schedule 1.
  • Table 4 of the UK SCCs: Either Party may terminate this Addendum as set forth in Section 19 of the UK SCCs.
  • By entering into this DPA, the Parties are deemed to be signing the UK SCCs and their applicable Tables and Appendix Information.

With respect to User Personal Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the EU SCCs will apply and will be deemed to have the following differences to the extent required by the Swiss Federal Act on Data Protection ("FADP"):

  • References to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR.
  • The term "member state" in the EU SCCs will not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Section 18(c) of the EU SCCs.
  • References to Personal Data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope.
  • Under Annex I(C) of the EU SCCs (Competent supervisory authority): where the transfer is subject exclusively to the FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and where the transfer is subject to both the FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the FADP, and the supervisory authority is as set forth in the EU SCCs insofar as the transfer is governed by the GDPR.

Governing Law of this DPA

Except where the Standard Contractual Clauses (or Applicable Law) require a specific governing law for the international transfer of Personal Data — in which case that law applies solely to those transfer mechanisms — this DPA is governed by the laws of the Republic of South Africa, consistent with the governing law of the Agreement. The governing-law and jurisdiction selections made above in respect of the EU SCCs and UK SCCs apply only to those clauses and the transfers they govern, and do not alter the governing law of the Agreement or the remainder of this DPA.

Audits

Vaultneur will make available to User the information reasonably necessary to demonstrate compliance with this DPA and the obligations of a processor under Applicable Law and the Standard Contractual Clauses. The Parties agree that this obligation will ordinarily be satisfied by Vaultneur providing, on User's written request and no more than once per year, (i) a description of the technical and organizational measures set out in Schedule 2, and (ii) where available, the then-current security or compliance reports of Vaultneur's sub-processors (for example, Supabase), which underpin the security of the Services.

An on-site audit or inspection will only take place where (i) the information described above is insufficient to demonstrate compliance, (ii) User is required to carry out such an audit by a supervisory authority or under Applicable Law, or (iii) there has been a substantiated Personal Data Breach affecting User's data. In that event, User will give Vaultneur at least thirty (30) days' prior written notice, the audit will be conducted during business hours, no more than once per year, in a manner that minimizes disruption, and will not exceed one (1) business day. User will bear its own costs and Vaultneur's reasonable costs of the audit, and User will not access any data or Confidential Information of other Users.

Legal Process

If Vaultneur is legally compelled by a court or other government authority to disclose User Personal Data, then to the extent permitted by law, Vaultneur will promptly provide User with sufficient notice of all available details of the legal requirement and reasonably cooperate with User's efforts to challenge the disclosure, seek an appropriate protective order, or pursue such other legal action, as Vaultneur deems appropriate.

Note: Because of our encryption architecture, we are technically unable to provide the plaintext content of your encrypted data in response to legal process, as we do not hold the decryption keys. Any compelled disclosure would be limited to encrypted data, metadata and account information that we are able to access.

Destruction of Personal Data

Upon termination of the Agreement and written request from User, Vaultneur will delete or anonymize User Personal Data, unless prohibited by Applicable Law. Notwithstanding the foregoing, nothing will oblige Vaultneur to delete or anonymize User Personal Data from files created for security, backup and business continuity purposes sooner than required by Vaultneur's data retention processes. Any User Personal Data that may be retained beyond the duration of the Agreement will still be protected in accordance with this DPA and Vaultneur shall not process such User Personal Data except as strictly permitted under Applicable Law.

Applicability and Order of Precedence

This DPA replaces any existing data processing addendum the Parties may have previously entered into in connection with the Agreement. In the event of a conflict between the terms of the Agreement and this DPA, the terms of the DPA will apply. In the event of a conflict between this DPA and the applicable Standard Contractual Clauses, the Standard Contractual Clauses will apply.


Schedule 1 — Annexes I and II of the EU SCCs

List of Parties

Module Two: Transfer Controller to Processor. Module Three: Transfer Processor to Processor.

Data exporter(s):

  • Name: The exporter is the User specified in the Agreement.
  • Address: specified in the Agreement.
  • Contact person: specified in the Agreement.
  • Activities relevant to the data transferred: Obtaining the Services from the data importer.
  • Role: Controller.

Data importer(s):

  • Name: Vaultneur PTY LTD.
  • Address: Pretoria, Gauteng, South Africa (as specified in the Agreement).
  • Contact person: specified in the Agreement.
  • Activities relevant to the data transferred: Providing the zero-knowledge encrypted vault Services to the data exporter.
  • Role: Processor.

Description of Transfer

Categories of data subjects

Data subjects whose Personal Data is uploaded by the data exporter to, or otherwise provided to Vaultneur through, the Services. This includes individual users of the vault application and, where applicable, their designated emergency contacts or family vault members.

Categories of personal data transferred

The data exporter may transfer Personal Data to Vaultneur, the extent of which is determined and controlled by the data exporter in its sole discretion. This data falls into two categories:

Encrypted vault data (stored and processed in encrypted form only; Vaultneur cannot access the plaintext):

  • Document file contents.
  • Document filenames and file types (MIME types).
  • Record data, including identification, medical, financial, crypto wallet, login and other records.
  • Record titles and field contents.
  • Notes, tags and attachments.
  • Signature images on signed documents.
  • Emergency QR information (such as blood type, allergies and emergency contacts).

Account and metadata (accessible to Vaultneur):

  • Account email address and subscription tier.
  • The SHA-256 hash of your recovery key (used only for verification).
  • Your encrypted (wrapped) vault key, which is unusable without your password.
  • File metadata: file sizes, timestamps and random file identifiers.
  • Record type only (for example, ID, Medical, Login).
  • Number of files and records, and subscription/entitlement status.

Note on processing limitations: Because of our zero-knowledge encryption, all vault content — including document contents, filenames, file types, record titles, fields, notes and attachments — is encrypted on your device before it reaches us and remains encrypted on our systems. We do not hold the keys needed to decrypt it.

Sensitive data

The Services are designed to let Users store sensitive personal information, including health data, financial records and identification documents. All such data is encrypted on your device using AES-256-GCM before it is transmitted to our infrastructure. The safeguards that apply are:

  • Client-side (on-device) encryption using AES-256-GCM.
  • A zero-knowledge architecture that prevents Vaultneur from accessing plaintext data.
  • A password-derived key system using PBKDF2-SHA256 (310,000 iterations).
  • Hardware-backed key storage (iOS Keychain / Android Keystore), with optional biometric unlock.
  • Encryption of all vault content, including filenames and file types.
  • TLS 1.3 for all data in transit.
  • Row-level security at the database layer, restricting access to each user's own data.

Frequency of the transfer

Continuously, for the duration of the Agreement, whenever Users upload documents or create or modify records through the application.

Nature and purpose of the processing

User Personal Data is processed in order to: receive and store encrypted data; maintain encrypted database records and metadata; authenticate users and manage accounts; synchronize encrypted vault data across a user's devices; manage subscriptions; maintain encrypted backups; and comply with applicable law. All processing of vault content occurs in encrypted form only.

Retention period

User Personal Data is retained for as long as necessary to provide the Services under the Agreement and in accordance with Vaultneur's data retention processes and applicable law. On account deletion, vault data, records, recovery data and the account are removed. Encrypted copies in backups are retained only as long as required by our backup processes before being overwritten.

Sub-processor processing

Supabase — provides authentication, database and storage infrastructure. It stores encrypted vault data, hashed account credentials and metadata, and enforces row-level security. It processes this data for as long as needed for Vaultneur to provide the Services. Supabase only ever handles encrypted (ciphertext) vault data and cannot read its content.

RevenueCat — provides subscription and entitlement management. It receives an account identifier and entitlement status (for example, Free or Pro) and does not receive any vault content or documents. It processes this data for as long as needed for Vaultneur to provide the Services.

Competent Supervisory Authority

The Parties will follow the rules for identifying the competent supervisory authority under Section 13 of the EU SCCs and, to the extent legally permissible, select the Irish Data Protection Commission for transfers governed by the GDPR, and the Information Commissioner's Office (ICO) for transfers governed by UK data protection law.


Schedule 2 — Technical and Organizational Measures

This Schedule describes the technical and organizational measures Vaultneur has implemented to protect User Personal Data, taking into account the nature, scope and purpose of the processing and the risks involved.

Zero-knowledge encryption

The core of our security model is that all substantive User Personal Data is encrypted on the user's device before it is transmitted to our infrastructure. We do not hold any key capable of decrypting your vault content.

On-device encryption

  • AES-256-GCM authenticated encryption, using a 256-bit key, a fresh 12-byte initialization vector for each encryption, and a 128-bit authentication tag that detects tampering.
  • Encryption is performed on the device before any network request is made.

Keys

  • The vault key (a 256-bit AES key) is generated on the device using the platform's secure random number generator.
  • A password-derived key, created with PBKDF2-SHA256 (310,000 iterations, using your email as the salt), is used to wrap (encrypt) the vault key. Your password itself is never sent to our servers.
  • The vault key is stored in the device's hardware-backed secure storage (iOS Keychain / Android Keystore) while the vault is open, and is never transmitted to us in usable form.
  • Optionally, the vault key can also be protected by the device's biometric hardware (Face ID, Touch ID or fingerprint) for unlocking without typing a password.
  • A 24-word recovery passphrase allows you to restore your vault if you lose your password. We store only the SHA-256 hash of this recovery key, never the key itself.

What is encrypted

Document contents, filenames and file types; all record fields and titles; notes, tags and attachments; signature images; and emergency QR data are all encrypted on the device before transmission.

Encryption in transit

  • TLS 1.3 for all communication between the application and our servers, with no fallback to insecure protocols, weak ciphers or outdated versions.

Access controls

  • Access to systems is limited on a least-privilege basis, and access is removed when no longer required.
  • Authentication is managed through Supabase Auth.
  • Row-level security is enforced at the database layer, so that each query can only return the requesting user's own data; a stolen API key cannot read another user's rows.
  • Because of our zero-knowledge design, Vaultneur personnel cannot read vault content even where they have system access, since the decryption keys are not available to us.

Physical security

Vaultneur does not operate its own data centers. Hosting is provided by Supabase, and the physical and environmental security of the underlying infrastructure is managed by that provider and its own underlying hosting providers.

Data at rest and deletion

  • Vault content is end-to-end encrypted by the application before it reaches storage, so it is stored as ciphertext.
  • Encrypted file blobs are stored under random identifiers, not real filenames.
  • On account deletion, a single server-side operation removes the user's documents, records, recovery data and account.
  • Encrypted copies that exist in routine backups are overwritten in line with our backup cycle.

Application security

  • We follow secure development practices aligned with widely used industry guidance such as the OWASP Top 10.
  • Changes are tested before being released to production.
  • We keep our dependencies and platform components reasonably up to date with security fixes.

Sub-processors

Before engaging a sub-processor that may have access to User Data, Vaultneur reviews the sub-processor's security and privacy practices and enters into a written agreement imposing data protection and security obligations appropriate to the data involved. Our current sub-processors are Supabase (which only ever handles encrypted vault data) and RevenueCat (which handles only subscription data and no vault content).

Personnel

  • Personnel with access to systems are bound by confidentiality obligations.
  • Personnel are instructed to report any suspected personal data breach promptly so that it can be assessed and, where required, notified.

Backups and continuity

  • We maintain backups of encrypted User Data so that it can be restored.
  • Backups contain the same encrypted (ciphertext) data and are protected accordingly.

End of Data Processing Addendum.

For questions regarding this Data Processing Addendum, please contact [email protected].

Vaultneur PTY LTD, Pretoria, Gauteng, South Africa. Version 2.0 (zero-knowledge architecture), effective 22 May 2026.