We started in encryption nearly 40 years ago, protecting governments, global financial networks, and military communications from the most determined attackers.

And all that experience can be found in every decision we make about security.

DropVault uses App level encryption which means the encryption of your data is managed by the DropVault app and not by our servers or cloud provider. This ensures that your data remains secure even from our IT team or cloud provider. A breach of our servers will never compromise encrypted data and never expose the original content.

The DropVault app also creates and manages your encryption keys and are only accessible via the app and not by any external user.

DropVault uses industry standard symmetrical AES GCM encryption on all messages, replies and documents with strong 256 bit keys. This ensures your data stays secure even from quantum computing attacks. At no time is your key shared with any team member or contact and it is never shared or stored unencrypted in the client device.

When you create a new channel we generate a random string of data which is not based on any user input. We then feed this raw data into a key generation algorithm to generate the channel’s actual 256 bit encryption key.

The accepted best practice for any encryption is to store the encryption key as far away as possible from the data it is securing. So we store all keys in an external key vault/HSM.

DropVault supports our own key vault (HSM) but enterprise customers can provide their own key vault (bring your own key). When the 256 bit key is generated we copy it to the HSM and store it with an identifier for the channel it belongs to. All access to this vault is tightly controlled and can only be read by the DropVault app.

Each key in the vault is enabled as a soft delete – this ensures that if a key is accidentally deleted it will remain in the “soft delete” acrchive for 90 days so it can be retrieved if the key was found to have been deleted in error.

DropVault enforces strong password policies for every team member accessing your portal, with no user selectable passwords allowed. Any attempts by any member to change a password will trigger an instant alert.

Multi-factor authentication is switched on by default, including the option to authenticate users using an authenticator app on their phone.

Once your computer, device, or location have been registered with your SafeRoom, DropVault will now allow access to your SafeRoom from any other device or location unless you add them. A simple but powerful way to keep intruders out.

Support for native Passkey (FIDO) authentication allows for facial and fingerprint biometrics access to both sign in and channels, providing enhanced security and less friction for businesses and contacts.

If all your clients are in the US, there’s no need to allow login access attempts from other countries. Flexible IP blocking makes it easy to decide what access requests are blocked by default.

Your own dedicated security dashboard makes it easy to view, monitor, and track your user and contact logins, their access locations, any MFA failures or discrepancies, and any unusual behavior.

Our system continuously monitors every connection and every attempt at access and takes immediate action to limit access if any suspicious activity is detected. You can also choose the type and severity of any response.

To enhance security, session timeouts can be easily be set and modified, from 15 minutes to 150 days.

Customize how the app responds to changing user locations, session timeout etc

If required, you can easily store and manage all your encryption keys in your own corporate key vault (HSM).