We started in encryption nearly 40 years ago, protecting governments, global financial networks, and military communications from the most determined attackers. That experience shapes every decision we make about security.

And all that experience can be found in every decision we make about security.

Many solutions claim to be encrypted — but what they really mean is they rely on basic cloud-provider encryption. They can still see every document and message your clients upload, which means any attacker who gains access to their systems likely has the same visibility. That’s not smart security.

We built DropVault to be one of the most secure and private platforms available, with security designed in at every layer. We don’t need to see your content — we simply encrypt it and store it, keeping it protected even from our own team.

Unlike most sharing apps or email — where access is granted via a simple link — DropVault authenticates every access. You always know which contact signed in, when they accessed your content, and from where. Authentication is critical for sharing anything sensitive, and it provides a level of security that apps using simple email links simply cannot match.

Authentication is critical for sharing anything sensitive and provides a level of security unmatched by apps using simple email links.

DropVault uses app-level encryption, meaning your data is encrypted by the DropVault app itself — not by our servers or cloud provider. This ensures your data remains secure even from our own IT team or infrastructure provider. A breach of our servers will never compromise your encrypted data or expose its original content.

The app also creates and manages your encryption keys, which are accessible only through the app and never by any external party.

We don’t rely on standard, basic security to protect user data. Every message, reply, and document is encrypted before it ever reaches our servers. This is real security by design.

Data at rest — where it is stored — represents the biggest security risk and is the source of 95% of breaches. By encrypting before storing, we protect your data even in the event of a server breach, whether data is held on our infrastructure or your own cloud storage.

Internal management portals are a common weak point for many software providers. If compromised, they can give attackers direct access to customer data.

DropVault is designed with zero visibility into your data from our management portal. Channels, portals, messages, and documents are completely inaccessible to us — which means they cannot be exposed, even in the event of a portal compromise.

Documents stored in DropVault are virtually ransomware-proof. They are not accessible via the internet, not visible to DropVault outside the app, and never mapped as a file or folder. Ransomware has no visibility to our storage — your documents stay secure.

Security shouldn’t create friction. We support single sign-on (SSO) for both team members and external contacts via Gmail, Microsoft, Outlook, and — coming soon — Apple ID.

Session hijacking is a growing threat where attackers steal your session identifier to impersonate you. DropVault includes built-in detection mechanisms that identify stolen sessions and automatically take action to secure your account.

DropVault uses AES-GCM 256-bit symmetric encryption on all messages, replies, and documents — strong enough to withstand quantum computing attacks. Your key is never shared with any team member or contact, and is never stored unencrypted on a client device.

Every new channel gets a randomly generated, unique 256-bit key, stored securely in the key vault. This ensures channels are fully segregated from one another, adding an extra layer of protection for your conversations and documents.

Best practice in encryption is to store keys as far as possible from the data they protect. DropVault stores all keys in an external key vault (HSM), tightly controlled and accessible only by the DropVault app.

DropVault offers two key management tiers to suit different compliance requirements and risk profiles. Both options provide per-channel encryption key isolation — a level of protection that generic file sharing platforms simply don’t offer. For organisations requiring the highest level of cryptographic assurance, such as those subject to PCI DSS, DORA, or eIDAS, our HSM-backed option stores all key material in a tamper-resistant hardware device, meeting the state-of-the-art standard that regulators expect from essential entities. Both tiers fully satisfy NIS2 Article 21 requirements.

For businesses that require greater control, you can store and manage all encryption keys in your own corporate HSM. This allows your team to create, rotate, expire, and manage keys independently of DropVault — supporting compliance requirements and full key ownership.

DropVault enforces strong password rules for every team member, with no user-selectable passwords permitted. Any attempt to change a password triggers an instant alert.

As phishing attacks grow more sophisticated, leading providers are moving toward passkeys. Users authenticating via supported SSO providers automatically benefit from passkey protection. Support for local passkeys is coming in Spring 2026

For channels storing highly sensitive data, businesses can add a second layer of protection with a channel-specific password. Team members only need to enter this password once per session.

Multi-factor authentication is enabled by default, including support for authenticator apps. This adds a critical second layer of security beyond passwords alone.

Once your computer, device, or location have been registered with your SafeRoom, DropVault will now allow access to your SafeRoom from any other device or location unless you add them. A simple but powerful way to keep intruders out.

Support for native Passkey (FIDO) authentication allows for facial and fingerprint biometrics access to both sign in and channels, providing enhanced security and less friction for businesses and contacts.

If all your clients are in the US, there’s no need to allow login access attempts from other countries. Flexible IP blocking makes it easy to decide what access requests are blocked by default.

Allowed locatons allow a business to control how and from where their team members can access their DropVault dashboard

Your own dedicated security dashboard makes it easy to view, monitor, and track your user and contact logins, their access locations, any MFA failures or discrepancies, and any unusual behavior.

Using the dashboard you can also instantly suspend any access for a team member or external contact or block all external access.

Our system continuously monitors every connection and every attempt at access and takes immediate action to limit access if any suspicious activity is detected.

This security feature analyzes user activity patterns to identify potentially suspicious behavior. If suspicious access is detected, the system automatically suspends the affected user or group and notifies the designated business owner.

To enhance security, session timeouts can be easily be set and modified based on your business needs and security requirements. Adjust the timeout from 15 minutes up to 7 days

Customize how the app responds to changing user locations, session timeout etc. The security posture can be set to match any business needs and allows or prevents access based on the users location, session length and other factors.