Every decision starts with one question: how do we minimize trust surface and maximize user sovereignty? Not as a feature — as a foundation.
We cannot read your data — by design. For PassVault and 47mail, all cryptographic operations happen on your device. Our servers see only ciphertext. No master keys exist. No court order, no rogue employee, no infrastructure breach can expose your plaintext data.
Keys derived from your master password, never transmitted.
Trust mathematics, not our promises.
No escrow keys, no recovery keys, no backdoors.
Every request authenticated. Every session scoped to least-privilege. Every action audit-logged. We treat our own internal network as hostile.
| Control | Implementation | Status |
|---|---|---|
| Identity-aware access proxy | Pomerium — all services behind IAP | Active |
| Single Sign-On | Keycloak (47ID) — all products unified | Active |
| mTLS between services | Automatic service mesh certificates | Active |
| Secrets management | HashiCorp Vault — dynamic secrets, lease rotation | Active |
| Network policies | Kyverno + Kubernetes NetworkPolicy enforcement | Active |
| Audit logging | Loki — tamper-evident, immutable append-only logs | Active |
| Privileged access | Teleport — session recording, MFA enforced | Enforced |
We are a Romanian company. Our infrastructure is hosted in Romania and the EU. Your data does not leave the European Economic Area. We are subject to Romanian data protection law and GDPR.
| Sub-processor | Purpose | Location | DPA |
|---|---|---|---|
| Hetzner Online | Primary infrastructure hosting | DE / FI (EU) | Signed |
| Backblaze B2 | Encrypted backup storage | EU region | Signed |
| Cloudflare | DNS & DDoS protection only | EU nodes | Signed |
| Stripe | Payment processing (plans only) | IE (EU) | Signed |
| Postmark | Transactional email (non-ZK products) | US — SCC | SCC |
SCC = Standard Contractual Clauses (EU-approved transfer mechanism). Full sub-processor list available on request.
We take every security report seriously. 48-hour response SLA. No legal threats against good-faith researchers. Public post-mortems for significant findings.
Encrypted reports via security@the47network.com. Automated acknowledgment within 2h.
Full response with severity classification and preliminary remediation plan.
Critical within 7 days, High within 30. Timeline communicated openly.
CVE filed, researcher credited publicly, post-mortem published.
Git-versioned, plain-language, human-readable. GDPR-compliant by design. No dark patterns, no buried clauses, no data-selling.
These are unconditional. Not contingent on business circumstances, not subject to future policy changes, not negotiable.
We do not sell, license, or broker user data to third parties. Not to advertisers, not to data brokers, not to anyone. Our revenue comes from subscriptions and Studio engagements, not from your information.
No advertising in any 47Network product. No sponsored placements, no promoted results, no behavioral tracking for ad targeting. A product funded by ads is structurally incentivized to maximize data collection. We are not that product.
No government-mandated backdoors. No law enforcement access keys. For zero-knowledge products, this is enforced by the cryptography — we cannot comply with a decryption request because we hold no decryption keys.
If end-to-end encryption is ever removed or weakened in a product, we will communicate this publicly before the change ships. No silent degradation of security guarantees under any circumstances.
Documented practices, not marketing copy. What we do, how we do it, and what you can hold us to.
All sensitive data encrypted with AES-256-GCM. For zero-knowledge products (PassVault, 47mail), encryption occurs exclusively client-side — our servers store only ciphertext and cannot decrypt it.
TLS 1.3 enforced on all endpoints. HSTS with long max-age and preloading. Internal service communication encrypted with mutual TLS. No plaintext service-to-service traffic.
No implicit trust between internal services. Every call authenticated via 47ID. Privileged access requires MFA and is time-limited. Network policies enforced at the Kubernetes layer via Kyverno.
Tamper-evident audit trail for all privileged operations, authentication events, and admin actions. Logs are append-only with cryptographic chaining. Retained for 12 months minimum.
All secrets managed in HashiCorp Vault with dynamic credentials and short TTLs. No secrets in environment variables or version control. Every secret access request is audited per-call.
Automated DAST (OWASP ZAP) on every deployment. Dependency scanning via Trivy on every CI run. Periodic manual penetration testing on all externally-facing services via TestGate Studio.
All production infrastructure in EU data centres. No data transferred outside the EU without explicit consent and DPA. GDPR-compliant data processing agreements available for all business clients.
Documented IR playbook with defined severity levels. Critical: initial response within 1 hour, client notification within 4 hours. Post-mortems published at status.the47network.com within 72 hours.
Found a security issue? Email security@the47network.com. We acknowledge within 24 hours, triage within 48, and credit researchers in CVE disclosures. We do not pursue legal action against good-faith researchers.
How the security architecture behind our commitments actually works — in detail.
SHA-256 chaining, append-only Postgres, and S3 Object Lock — how audit logs are made forensically sound and tamper-evident by construction.
How dynamic credentials and short-lived secrets replace static keys in every 47Network product — eliminating the most common source of credential exposure.
The password hashing standard used in PassVault and every 47Network auth flow — Argon2id parameters, memory hardness, and why bcrypt is no longer enough.
WebAuthn device authentication — how passkeys eliminate phishing-susceptible passwords and how they complement Argon2id credential protection in 47Network products.
Argon2id key derivation, AES-256-GCM envelope encryption, client-side key generation, and the zero-knowledge proof that 47Network cannot access your vault contents.