← Back to Vault

Security

Most note apps treat security as a checkbox. Here is exactly what Vault does to protect your account and data - no vague reassurances, just the actual technical measures.

httpOnly JWT cookies

Your session tokens are stored in httpOnly Secure cookies - JavaScript running on the page cannot access them. This eliminates the entire class of XSS-based session theft attacks.

Two-factor authentication (TOTP)

Enable 2FA with any standard authenticator app (Google Authenticator, Authy, 1Password). Even if your password is compromised, your account cannot be accessed without the second factor. 8 one-time backup codes are provided on setup.

Session management

Every logged-in device is visible in your account settings. You can revoke any individual session or all sessions at once. Revoking a session invalidates the token server-side instantly - there is no window where a stolen token remains valid.

Password hashing

Passwords are hashed with Django's PBKDF2-SHA256 with a per-user salt before being stored. Plain-text passwords are never written to disk or logs at any point.

New device login alerts

Every time your account is accessed from a new device or browser, an email alert is sent immediately. If it was not you, a single click revokes that session.

Email change protection

When you change your email address, your old address receives an immediate alert with a one-click undo link valid for 24 hours. This prevents an attacker from silently changing your email after gaining access.

Security audit log

Every sensitive action on your account is recorded: logins, password changes, email changes, 2FA setup and removal, session revocations. Visible in Settings → Security log.

Refresh token rotation

Every time your access token is refreshed, a new refresh token is issued and the old one is blacklisted. A stolen refresh token can only be used once before it becomes invalid.

Brute-force protection

Login attempts are rate-limited and tracked per IP. After a threshold of failed attempts, the IP is temporarily locked out. This is enforced server-side, independent of the client.

Transport security

All traffic between your browser, the frontend (Vercel), and the backend (Render) is encrypted with TLS. HTTP connections are redirected to HTTPS. HSTS is enforced.

Data export

Export all your notes, folders, and tags as a JSON file at any time from Settings → Export data. Your data is always readable - no proprietary format, no lock-in.

Account deletion

Delete your account and every byte of associated data - notes, folders, tags, sessions, audit logs - permanently and immediately from Settings → Delete account. No waiting period, no soft delete.

What we do not do

  • - No ads. No advertising network ever touches your data.
  • - No analytics on your notes or note content.
  • - No selling or sharing of your data with third parties.
  • - No reading of your notes by us or anyone else.

Questions or concerns? omarhaji0002@gmail.com

Read our Privacy Policy for details on data storage and retention.

Security · Vault · Vault