KeyVault Edge
Vendor Checklist

Pre-filled vendor security questionnaire.

If your procurement team needs a security questionnaire, this page answers the standard questions directly — no back-and-forth required. Each answer links to the primary source for verification.

23/37 questions answered Yes·Last updated: May 2026·Questions? Email security@keyvaultedge.com
YesFully implemented
NoNot applicable / No
PartialPartial / In progress
PlannedOn near-term roadmap
N/ANot applicable

Company & service overview

Is the vendor a legal entity with a registered address?

Partial

KeyVault Edge is an early-stage technology company. Legal entity registration details will be published before general availability. Contact legal@keyvaultedge.com for current status.

Does the vendor carry cyber liability insurance?

Planned

Cyber liability insurance is on the pre-GA checklist. Coverage will be in place before paying customers are onboarded at scale.

Is the service available under an enterprise SLA?

Partial

Enterprise plan includes a 99.99% uptime SLA with financial remedies. Free and Pro plans are best-effort. Contact sales@keyvaultedge.com for enterprise SLA documentation.

Data classification & storage

Does the vendor store customer API keys in plaintext?

No

Never. Only AES-256-GCM ciphertext, a wrapped Data Encryption Key (DEK), and a 96-bit IV are stored. The real key cannot be recovered without an HSM unwrap operation.

Encryption flow

Does the vendor log request Authorization headers?

No

Worker logs record: token ID (not the key), upstream status code, byte counts, and latency. Authorization headers and request bodies are never logged.

Memory handling

Is data at rest encrypted?

Yes

All customer data is encrypted at rest in Supabase (PostgreSQL with encryption-at-rest). Key envelopes are additionally encrypted at the application layer with AES-256-GCM.

Is data in transit encrypted?

Yes

All public endpoints enforce TLS 1.3 only. HSTS is enabled with a 1-year max-age and includeSubDomains. Upstream connections to API providers enforce TLS 1.2+ with certificate verification.

TLS policy

Where is customer data stored geographically?

Yes

Primary data store: Supabase EU region. Read replica: US. Edge Worker execution is global (300+ Cloudflare PoPs) but processes data ephemerally — no data is written at the edge.

Encryption & key management

What encryption standard is used for customer secrets?

Yes

AES-256-GCM with a 96-bit randomly generated IV per key registration. Keys are generated using WebCrypto's CSPRNG in the customer's browser.

Are encryption keys stored separately from encrypted data?

Yes

Yes. The Key Encryption Key (KEK) lives in a cloud HSM (non-exportable). The wrapped DEK is stored in the database, separate from the ciphertext. No single-point compromise gives an attacker plaintext keys.

Key management

Does the vendor support customer-managed encryption keys (CMEK)?

Planned

Enterprise plan: customers can supply their own KEK via AWS KMS, GCP Cloud KMS, or Azure Key Vault. In CMEK mode, KeyVault Edge never holds the master key. Target availability: Q3 2026.

Is key rotation supported?

Yes

KEKs are rotated on a schedule or on demand. Rotation re-wraps all DEKs under the new KEK atomically — no window exists during which both old and new KEKs are simultaneously valid.

Access controls & identity

Can vendor employees access customer plaintext API keys?

No

No. The HSM enforces key usage policies that prevent any operator from extracting a KEK or performing a bulk decrypt. HSM access is audited. No employee has a credential sufficient to decrypt customer keys.

Employee access model

Is MFA required for production infrastructure access?

Yes

All production system access (Cloudflare console, Supabase dashboard, Stripe admin) is gated through Cloudflare Zero Trust with TOTP MFA required on every new session.

Is production access logged?

Yes

Access is logged at the application level (not just network level). Logs are retained and can be reviewed during a security audit.

Is database access protected by row-level security?

Yes

Supabase RLS is enforced. No employee query can return another customer's rows without an explicit RLS exception, which would be logged and alerted.

Are production deployments code-signed?

Yes

Workers are deployed from signed commits on the main branch only. A hash-pinned version is deployed. Any modification to the deployed code triggers an alert in Cloudflare's audit trail.

Incident response

Does the vendor have a published incident response plan?

Yes

Yes — the 7-step breach response playbook is published publicly, including timing commitments (T+15min customer notification, T+15min automatic token revocation, T+72hr post-mortem).

Breach response playbook

What is the customer notification SLA for a confirmed breach?

Yes

15 minutes. Affected customers are emailed within 15 minutes of a confirmed breach. Notification includes what happened, what data was exposed, what we've done, and what you should do.

Are tokens automatically revoked in a breach?

Yes

Yes. All tokens involved in an incident are automatically revoked at the moment the breach is confirmed. No manual step is required.

Is there a public incident log?

Yes

Yes — append-only. All security-relevant incidents are documented publicly with post-mortems.

Incident log

Does the vendor provide billing credits for breach periods?

Yes

Yes. Any customer whose tokens were compromised in a confirmed breach receives a full billing credit for the affected period.

Vulnerability management

Is there a responsible disclosure programme?

Yes

Yes — scope, rules of engagement, and disclosure timeline are published. Researchers can report to security@keyvaultedge.com.

Disclosure policy

Is security.txt published per RFC 9116?

Yes

Yes — available at /.well-known/security.txt with Contact, Expires, Policy, Acknowledgments, and Preferred-Languages fields.

security.txt

Has the vendor completed a third-party penetration test?

Planned

Scheduled prior to general availability. Summary report will be published on the Trust Center.

Does the vendor have a threat model?

Yes

Yes — plain-English threat model is publicly available, covering defender objectives, adversary profiles, attack surface, and explicit out-of-scope scenarios.

Threat model

Compliance & certifications

Is the vendor SOC 2 certified?

Planned

SOC 2 Type I is targeted within 12 months of first paying customer. SOC 2 Type II to follow. Report will be available under NDA on request.

Is the vendor GDPR compliant?

Partial

Data is stored in the EU (primary). Privacy Policy and Data Processing Agreement (DPA) are in progress. Contact privacy@keyvaultedge.com to discuss your specific requirements.

Is a Data Processing Agreement (DPA) available?

Partial

DPA is in preparation. Available for Enterprise customers on request. Email legal@keyvaultedge.com.

Is the vendor CCPA compliant?

Partial

KeyVault Edge does not sell personal data. CCPA notices will be included in the Privacy Policy update currently in progress.

Sub-processors & supply chain

Is a sub-processor list publicly available?

Yes

Yes — the full list of third parties that touch customer data is published on the Trust Center, including data touched and region.

Sub-processor list

Are customers notified before new sub-processors are added?

Yes

Paid customers receive email notification before any new sub-processor becomes active.

Is Cloudflare used as the edge runtime?

Yes

Yes — Cloudflare Workers is the execution environment for the edge proxy. Cloudflare's security posture and compliance certifications (ISO 27001, SOC 2, PCI DSS Level 1) are relevant to your assessment.

Business continuity & availability

Does the vendor have a Business Continuity Plan (BCP)?

Partial

Cloudflare Workers provides inherent geographic redundancy across 300+ PoPs. Formal BCP documentation is in progress for Enterprise plan customers.

What is the Recovery Time Objective (RTO) for the proxy?

Yes

Cloudflare Worker deployments can be rolled back to a known-good hash in under two minutes. Cloudflare's own infrastructure has RTO of seconds for individual PoP failures.

Is there a public status page?

Planned

Status page at status.keyvaultedge.com is on the near-term roadmap, backed by an independent uptime monitoring provider.

What is the target uptime SLA?

Yes

Enterprise: 99.99% uptime. Pro: 99.9%. Free: best-effort. SLA is measured on the edge proxy data plane only, not the dashboard.

Need something not covered here?

Enterprise procurement evaluations often require custom documentation. We respond to security@keyvaultedge.com within one business day.

Security architecture →Transparency report →Responsible disclosure →