Encryption

At rest

All credential values are encrypted using AES-256-GCM before being written to storage. Each credential uses a unique data encryption key (DEK). DEKs are themselves encrypted using a key encryption key (KEK) managed externally - envelope encryption.

In transit

All connections between clients (browser, CLI, API) and SlateBeaver services use TLS 1.3. Older TLS versions are not accepted.

Authentication

Password

Password-based authentication with enforced minimum complexity.

2FA

Two-factor authentication is available for all accounts and required on Business and Enterprise plans.

Hardware keys

WebAuthn / FIDO2 hardware key support.

SSO

SAML 2.0 SSO - when SSO is enabled, password-based login can be disabled for your organisation.

Session security

Inactivity timeout

Sessions have a configurable inactivity timeout. Default is 8 hours.

Server-side tokens

Session tokens are server-side and can be invalidated immediately on logout or by an admin.

Concurrent limits

Concurrent session limits can be configured on Enterprise plans.

Credential access model

Revealing a credential value requires explicit permission - no role implicitly grants access to all credentials
Every reveal is logged immediately and cannot be redacted
Revealed values are never stored in browser local storage or application caches

Audit trail integrity

Audit log entries are written as append-only records
Entries cannot be modified or deleted by any user, including organisation Owners
The log is queryable by actor, credential, environment, action type, and time range

Infrastructure

Hosted on AWS and Google Cloud Platform
Data stored in EU (Frankfurt) and IN (Mumbai) regions
Organisation data is logically isolated - one organisation cannot access another's data
Backups run daily with 7-day retention

Reporting a vulnerability

Security disclosures can be sent to security@slatebeaver.com. We aim to acknowledge within 48 hours.

Full security posture page →