Trust Center

Every claim we make, verifiable.

You shouldn't have to take our word for anything. This page is the single source of truth for who runs KeyVault Edge, how we handle your data, what we've shipped, and what we haven't yet.

Company

LEGAL ENTITY

KeyVault Edge

Early-stage technology company building API security infrastructure for developers. Registered details will be published before general availability.

FOUNDED

2026

KeyVault Edge is an early-stage product. We are transparent about that - this page will grow with the company, not pretend to be further along than we are.

TEAM

Small founding team with production security and edge-compute experience. Founder profiles will be published before paid accounts open to the general public.

Security commitments

Shipped items are live today. In-progress and planned items are on the near-term roadmap; we publish honest status rather than aspirational claims.

Threat model published

Shipped

Plain-English description of what we defend against, what we don't, and who the adversary is.

Responsible disclosure policy

Shipped

Clear scope, rules of engagement, and a single point of contact for security researchers.

security.txt (RFC 9116)

Shipped

Machine-readable security contact at /.well-known/security.txt.

Public incident log

Shipped

Append-only record of every security-relevant incident, with post-mortems where appropriate.

Security architecture

Shipped

Encryption flow, memory handling, TLS policy, employee access model, HSM key management, and audit logging - documented in full.

Transparency report & warrant canary

Shipped

Government data request log, warrant canary updated quarterly, and our policy for responding to law-enforcement demands.

Vendor security questionnaire

Shipped

Pre-filled answers to standard procurement security questions with links to primary sources for verification.

Privacy Policy & DPA

In progress

GDPR/CCPA-aligned privacy policy and a Data Processing Agreement available for every customer.

Open-source client crypto

Planned

The browser-side code that encrypts your API keys will be open-source and reproducibly built.

Bring-Your-Own-Proxy (BYOP)

Planned

Self-host the exact proxy we run, in your own Cloudflare/Fly/Vercel account, under a permissive licence.

Third-party penetration test

Planned

Independent security assessment. Summary report will be published here.

SOC 2 Type I

Planned

Independent audit of our security controls. Target: within 12 months of first paying customer.

Sub-processors

Third parties that touch customer data in any way. Changes to this list are published here; paid customers receive email notice before a new sub-processor becomes active.

Provider	Purpose	Data touched	Region
Cloudflare, Inc.	Edge proxy execution, DDoS protection, TLS termination.	Encrypted token metadata, request timestamps, aggregate latency.	Global (300+ PoPs)
Supabase Inc.	Authentication, managed PostgreSQL, row-level security.	Account identifiers, encrypted key envelopes, audit events.	EU (primary), US (read replica)
Vercel Inc.	Marketing website and docs hosting only.	Public, marketing-tier only. No customer secrets.	Global
Stripe, Inc.	Payment processing and subscription billing.	Billing contact, payment method metadata (tokenised by Stripe).	Global
Resend	Transactional email (account, billing, security alerts).	Email address, account notification content.	Global