SparkVault

Security Policy

Last updated: December 12, 2025

Security is the foundation of SparkVault. This policy outlines our security practices, vulnerability disclosure program, and your responsibilities when using our platform.

1. Our Security Architecture

1.1 Triple Zero-Trust Encryption

SparkVault implements a Zero-Trust architecture where no single party—including SparkVault—can decrypt your data alone:

ROOT 1

SVMK

SparkVault Master Key

ML-KEM-1024 (Post-Quantum)

ROOT 2

AMK

Account Master Key

HMAC-SHA512 in HSM

ROOT 3

VMK

Vault Master Key

Your Passphrase (Vaults only)

1.2 Encryption Standards

  • Data at Rest: AES-256-GCM encryption
  • Key Encapsulation: ML-KEM-1024 (NIST post-quantum standard)
  • Key Derivation: Argon2id for passphrase-based keys
  • Data in Transit: TLS 1.3 with modern cipher suites
  • Random Generation: FIPS 140-2 Level 3 hardware entropy (AWS KMS HSMs)

1.3 Infrastructure Security

  • Hosted on AWS with SOC 2 certified infrastructure
  • Hardware Security Modules (HSMs) for key management
  • Network isolation with VPCs and security groups
  • DDoS protection via AWS Shield and Cloudflare
  • Regular vulnerability scanning and penetration testing
  • 24/7 security monitoring and alerting

2. Vulnerability Disclosure Program

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to us privately so we can address it before public disclosure.

Report vulnerabilities to: [email protected]

2.1 Scope

The following are in scope:

  • sparkvault.com and all subdomains
  • app.sparkvault.com (web application)
  • SparkVault APIs
  • Mobile applications (when available)
  • Authentication and authorization systems
  • Cryptographic implementations

2.2 Out of Scope

  • Social engineering attacks against employees
  • Physical attacks against offices or data centers
  • Denial of service attacks
  • Third-party services not controlled by SparkVault
  • Vulnerabilities in outdated browsers or operating systems

2.3 Guidelines

When testing, please:

  • Only test against accounts you own or have permission to test
  • Do not access, modify, or delete data belonging to others
  • Do not perform destructive testing or denial of service
  • Stop testing and report immediately if you access user data
  • Give us reasonable time to respond and fix issues before disclosure

2.4 What to Include

When reporting, please provide:

  • Detailed description of the vulnerability
  • Steps to reproduce
  • Proof of concept (if available)
  • Impact assessment
  • Any relevant screenshots or logs
  • Your contact information for follow-up

2.5 Our Commitment

  • Acknowledge receipt within 24 hours
  • Provide an initial assessment within 72 hours
  • Keep you informed of our progress
  • Credit researchers in our security acknowledgments (if desired)
  • Not pursue legal action against good-faith researchers

2.6 Severity Classifications

Severity Description Response Time
Critical Remote code execution, key compromise, mass data breach 4 hours
High Authentication bypass, privilege escalation, significant data access 24 hours
Medium XSS, CSRF, limited data exposure 7 days
Low Information disclosure, best practice violations 30 days

3. Your Security Responsibilities

3.1 Account Security

  • Use a strong, unique password for your SparkVault account
  • Enable two-factor authentication (2FA) when available
  • Do not share your account credentials
  • Log out from shared or public devices
  • Report suspicious activity immediately

3.2 Passphrase Management (Vaults)

Critical: Your Vault passphrase (VMK) is never stored by SparkVault. If you lose your passphrase, your Vault data cannot be recovered by anyone—including SparkVault. Store your passphrase securely using a password manager.

3.3 API Key Security

  • Treat API keys like passwords—never commit them to repositories
  • Use environment variables or secret management tools
  • Rotate keys periodically and immediately if compromised
  • Use the minimum required permissions for each key

4. Incident Response

In the event of a security incident affecting your data:

  • We will notify affected users within 72 hours of confirmed breach
  • We will provide details of what data was affected
  • We will explain the remediation steps taken
  • We will offer guidance on protective measures you can take

5. Security Updates

We continuously improve our security posture. Security updates and patches are applied regularly. Critical vulnerabilities are patched immediately upon discovery. We recommend always using the latest version of our APIs and following our security best practices documentation.

6. Contact

For security-related inquiries:

Security Team
Email: [email protected]
Response: Within 24 hours for security reports