Encryption
Credentials and sensitive fields are encrypted before persistence. Keys are managed via secure environment configuration with a roadmap for per-organization keys on enterprise deployments.
Trust center
Security, encryption and compliance you can explain to auditors
passwhy treats credentials, secrets and assets as critical infrastructure—with tenant isolation, encryption boundaries, audit logging and responsible disclosure.
Architecture
Multi-tenant cloud architecture with strict organization_id scoping on every API request. Service-layer business logic, validated inputs and no plaintext secrets in list responses.
Data Protection
Reveal and copy operations occur through audited endpoints. Version history tracks credential changes. Backup and disaster recovery aligned with commercial SLA commitments.
Privacy
passwhy processes account and vault metadata to deliver the service. Credential plaintext is encrypted; our design minimizes operator access. See Privacy Policy for data subject rights.
Compliance
Control mapping for SOC 2, GDPR and ISO 27001 reviews. Audit log retention scales by plan. DPAs and security questionnaires available for enterprise and partner customers.
Audit Logging
Immutable logs for reveal, copy, create, update, delete, login and access request decisions—with actor, IP, timestamp and target resource.
Responsible Disclosure
Report vulnerabilities to contact@passwhy.com. We acknowledge reports promptly and coordinate disclosure with researchers following industry best practice.
See security in action
Start a free trial or log in to explore vaults, RBAC and audit logs in your own workspace.