Skip to main content
VaultPAM
00 Security

secure by design. every session, every credential, every byte.

Zero-trust access, end-to-end encryption and full audit trails were non-negotiable requirements — not afterthoughts.

01 Security principles

Seven principles that govern every decision.

01

Zero-trust access

Every session is authenticated and authorized per-request. No implicit trust from network location, role, or prior session.

02

End-to-end encryption

Session traffic encrypted in transit. Credentials encrypted at rest with AES-256-GCM. Keys never stored alongside data.

03

Least-privilege by default

Minimum access required, enforced at runtime: time-limited sessions, just-in-time credential injection, automatic expiry.

04

Immutable audit trail

Every privileged action logged to a tamper-resistant store. Recordings, access events and policy changes cannot be altered.

05

EU data residency

All data, recordings and vaults reside in GCP europe-central2 (Warsaw). No transfer outside the EU.

06

No credential exposure

Credentials are injected at the protocol level and never exposed to the connecting user. Passwords stay inside the proxy.

07

Continuous compliance posture

NIS2, GDPR, SOC 2 and ISO 27001 controls mapped to features. Reports generated on demand, not assembled by hand.

02 Authentication & authorization

MFA, SSO and role-based access — without the configuration tax.

CapabilityMechanismStandard
Multi-factor authenticationTOTP, FIDO2/WebAuthn, SMS OTPRFC 6238 / FIDO2
Single sign-onSAML 2.0, OIDC / OAuth 2.0SAML 2.0 / OIDC
Role-based access controlTenant roles, session policies, target ACLsNIST RBAC
Just-in-time credentialsTime-limited vault checkout, auto-rotationNIS2 Art. 21
Session timeoutConfigurable per-role idle + max durationSOC 2 CC6.1
03 Data protection

Encryption and storage your legal team can sign off.

CREDENTIAL NEVER VISIBLE TO USER USER VAULT PAM rdp-prod-01 ssh-bastion db-master ●●●●●●● ●●●●●●● ●●●●●●● INJECT SERVER DIRECT ACCESS BLOCKED VAULTPAM CREDENTIAL FLOW FIG.02 AES-256-GCM · EU-WAW
Fig. 02 Credentials are retrieved from the encrypted vault and injected at the protocol level — the connecting user never sees the password.
3.1

Credential vault

Encrypted at rest with AES-256-GCM. Vault keys stored separately and rotated automatically. Keys are never logged.

3.2

In-transit encryption

TLS 1.3 for browser sessions. RDP, SSH and database traffic proxied through encrypted tunnels. No plaintext on the wire.

3.3

Session recordings

Stored in GCS (europe-central2), object-level encryption. Audit access controlled separately from replay.

3.4

EU data residency

All data, backups and logs reside in GCP europe-central2 (Warsaw). No cross-region replication outside the EU.

3.5

Retention controls

Configurable retention with GDPR right-to-erasure. Deletion is logged and irreversible.

3.6

Backup & recovery

Daily automated backups, point-in-time recovery. Encrypted at rest and tested quarterly.

04 Threat model

STRIDE — verified against every release.

ThreatControlStatus
SpoofingMFA + session token bindingMITIGATED
TamperingImmutable audit log + HMAC signaturesMITIGATED
RepudiationFull session recording + signed audit eventsMITIGATED
Information disclosureAES-256-GCM at rest, TLS 1.3 in transit, no credential exposureMITIGATED
Denial of serviceRate limiting, connection caps, WAF (ModSecurity)MITIGATED
Elevation of privilegeRBAC, least-privilege JIT credentials, tenant isolationMITIGATED
05 EU residency

Your data stays in the EU. Always.

NOT A CONFIGURATION OPTION EUROPEAN UNION REST OF WORLD SESSION-REC CREDENTIALS AUDIT-LOGS ACCESS-EVENTS GCP EUROPE-CENTRAL2 WARSAW · EU-WAW PRIMARY REGION EU BOUNDARY · GDPR ART. 44 THIRD-COUNTRY SERVER TRANSFER BLOCKED VAULTPAM EU RESIDENCY BOUNDARY FIG.03 GCP EU-WAW · GDPR ART. 44
Fig. 03 All data, recordings and credentials terminate in GCP europe-central2 (Warsaw). Cross-border transfer is architecturally blocked — not a setting.

VaultPAM runs exclusively on GCP europe-central2 (Warsaw). No data is transferred or replicated outside the EU — a hard architectural constraint, not a setting.

  • GCP europe-central2 (Warsaw) — primary and only region
  • No cross-region replication outside EU
  • GDPR/RODO Article 44 — no third-country transfers
  • NIS2 Article 21 residency controls satisfied
  • SOC 2 Type II scope includes eu-central2 infrastructure