SparkVault

Your Secrets, Mathematically Guaranteed Private

SparkVault uses cryptography—not policy—to ensure that even we cannot access your data. Triple zero-trust architecture means no single party ever holds all the keys.

Start Protecting Data How It Works

Why SparkVault Is Different

Most "secure" storage providers can decrypt your data if compelled. We literally cannot.

Triple Zero-Trust

Decryption requires three independent keys: ours, hardware-secured, and yours. No single party—including us—can ever access your plaintext data alone.

Quantum-Safe Now

NIST-standardized ML-KEM-1024 (CRYSTALS-Kyber) post-quantum cryptography protects your data against future quantum computing threats today.

Hardware Isolation

Cryptographic operations happen inside hardware-isolated Trusted Execution Environments. Keys never exist in accessible memory.

Triple Zero-Trust Architecture: Three independent keys required for decryption

Two Products, One Principle

Whether you need ephemeral secrets or persistent encrypted storage, your data stays private.

Sparks

Burn After Read

Share secrets that self-destruct after a single read. Perfect for passwords, API keys, and sensitive links. Set a TTL up to 24 hours, share the link, and it's gone forever after access.

  • Auto-destroys after first read
  • Maximum 24-hour TTL
  • Up to 250KB per spark
  • Double zero-trust encryption
$0.001 per spark

Vaults & Ingots

Persistent Encrypted Storage

MAXIMUM SECURITY

Create encrypted vaults protected by your passphrase. Store ingots (encrypted objects up to 5TB) with unlimited reads. Your passphrase never leaves your device—we can't help you if you lose it.

  • Triple zero-trust (we literally can't decrypt)
  • Unlimited reads per ingot
  • Up to 5TB per ingot
  • Post-quantum cryptography
$0.99 vault creation + $0.30/mo
View full pricing details

Spark Lifecycle: Create, Share, Access, Destroy

The Math Behind the Promise

Our security isn't based on trust or policy. It's based on cryptographic impossibility.

ROOT 1
SparkVault Master Key
ML-KEM-1024 in AWS Secrets Manager
ROOT 2
Account Master Key
HMAC-SHA512 in AWS KMS hardware
ROOT 3
Your Vault Passphrase
Never stored, never transmitted

All three keys are required to decrypt. We hold one. Hardware holds one. You hold one.

A subpoena, a breach, or a rogue employee cannot compromise your data—we don't have all the keys.

End-to-End Encryption Flow: From plaintext to encrypted storage

Use Cases

From ephemeral password sharing to long-term encrypted backups.

Secure Password Sharing

Create a Spark, share the link, recipient reads once—it's gone forever. No more passwords in Slack.

API Key Distribution

Onboard new developers with one-time access to credentials. Keys never sit in email or chat history.

Encrypted Backups

Store database backups, config files, or certificates in Vaults. Even if we're breached, attackers get ciphertext.

Compliance-Ready Storage

Store PII, PHI, or financial data knowing auditors can verify the mathematical impossibility of provider access.

Team Credential Management

Shared vaults let teams access secrets securely. Revoke access instantly without rotating everything.

Recovery Codes & 2FA Seeds

Store TOTP seeds, recovery codes, and authentication secrets with true zero-knowledge security.

Enterprise Security Standards

Built on NIST-standardized cryptography with full compliance certifications.

FIPS 140-2
Level 3 Validated
SOC 2
Type II Compliant
ISO 27001
Certified
GDPR
Compliant
AES-256-GCM
Symmetric
ChaCha20-Poly1305
Symmetric
ML-KEM-1024
Post-Quantum
X25519
Key Exchange
HMAC-SHA512
Authentication
Argon2id
Key Derivation
HKDF-SHA512
Key Expansion
SHA-3
Hashing

Ready to Protect Your Data?

Start with Sparks for free ephemeral secrets, or create a Vault for persistent encrypted storage.

Get Started Free View Pricing