Credential vault
Encrypted at rest with AES-256-GCM. Vault keys stored separately and rotated automatically. Keys are never logged.
Zero-trust access, end-to-end encryption and full audit trails were non-negotiable requirements — not afterthoughts.
Every session is authenticated and authorized per-request. No implicit trust from network location, role, or prior session.
Session traffic encrypted in transit. Credentials encrypted at rest with AES-256-GCM. Keys never stored alongside data.
Minimum access required, enforced at runtime: time-limited sessions, just-in-time credential injection, automatic expiry.
Every privileged action logged to a tamper-resistant store. Recordings, access events and policy changes cannot be altered.
All data, recordings and vaults reside in GCP europe-central2 (Warsaw). No transfer outside the EU.
Credentials are injected at the protocol level and never exposed to the connecting user. Passwords stay inside the proxy.
NIS2, GDPR, SOC 2 and ISO 27001 controls mapped to features. Reports generated on demand, not assembled by hand.
| Capability | Mechanism | Standard |
|---|---|---|
| Multi-factor authentication | TOTP, FIDO2/WebAuthn, SMS OTP | RFC 6238 / FIDO2 |
| Single sign-on | SAML 2.0, OIDC / OAuth 2.0 | SAML 2.0 / OIDC |
| Role-based access control | Tenant roles, session policies, target ACLs | NIST RBAC |
| Just-in-time credentials | Time-limited vault checkout, auto-rotation | NIS2 Art. 21 |
| Session timeout | Configurable per-role idle + max duration | SOC 2 CC6.1 |
Encrypted at rest with AES-256-GCM. Vault keys stored separately and rotated automatically. Keys are never logged.
TLS 1.3 for browser sessions. RDP, SSH and database traffic proxied through encrypted tunnels. No plaintext on the wire.
Stored in GCS (europe-central2), object-level encryption. Audit access controlled separately from replay.
All data, backups and logs reside in GCP europe-central2 (Warsaw). No cross-region replication outside the EU.
Configurable retention with GDPR right-to-erasure. Deletion is logged and irreversible.
Daily automated backups, point-in-time recovery. Encrypted at rest and tested quarterly.
| Threat | Control | Status |
|---|---|---|
| Spoofing | MFA + session token binding | MITIGATED |
| Tampering | Immutable audit log + HMAC signatures | MITIGATED |
| Repudiation | Full session recording + signed audit events | MITIGATED |
| Information disclosure | AES-256-GCM at rest, TLS 1.3 in transit, no credential exposure | MITIGATED |
| Denial of service | Rate limiting, connection caps, WAF (ModSecurity) | MITIGATED |
| Elevation of privilege | RBAC, least-privilege JIT credentials, tenant isolation | MITIGATED |
VaultPAM runs exclusively on GCP europe-central2 (Warsaw). No data is transferred or replicated outside the EU — a hard architectural constraint, not a setting.