Technical Security Standards
Key Derivation (PBKDF2)
We use the Password-Based Key Derivation Function 2 (PBKDF2) with 600,000 iterationsof SHA-256 to derive your encryption keys from your Master Password. This process happens entirely on your local machine. The derived key is never sent to our servers.
Encryption (AES-256-GCM)
All vault data is encrypted using AES-256-GCM (Advanced Encryption Standard with Galois/Counter Mode). GCM provides both confidentiality and authenticity, ensuring that encrypted data hasn't been tampered with. Each piece of data uses a unique initialization vector (IV).
The Zero-Knowledge Flow
User enters Master Password. Local PBKDF2 generates Key A (Derived Key).
Data is encrypted locally using Key A to produce Encrypted Blob B.
Only Blob B is sent to our servers for storage and synchronization.
Local Persistence
Developer Command Center stores your encrypted vault in IndexedDB, an object-oriented database that lives natively and securely in your browser. This enables offline-first functionality without compromising security boundaries.
Synchronized State
Sync occurs periodically over encrypted HTTPS REST calls to our Supabase backend. Our servers act as a "dumb" storage relay, holding only the encrypted blobs. We use a last-write-wins strategy with a version guard to ensure consistent state across devices without ever decrypting the content. If a version conflict is detected, the client is prompted to re-sync before uploading.
For deep technical audits or security vulnerability reports, please visit oursecurity contact page.