How SafeLayer is built to protect your data at every layer.
Vault secrets are encrypted with AES-256-GCM using envelope encryption. Each secret has its own unique data encryption key (DEK). The DEK is encrypted with a master key. A database breach without the master key cannot expose your secrets.
The extension never sends raw clipboard content to our servers. When a key-like paste is detected, only a redacted preview (first 4 + last 4 characters), provider guess, confidence score, and domain are stored. Extension pairing tokens are hashed with SHA-256 before storage — the raw token is displayed once and never retained.
All private data is protected by Supabase Row Level Security (RLS). Users can only read and write their own data. Team members can only access their team's data. The service role key is never exposed to the browser.
All API routes validate inputs with Zod. Auth is required for all private routes. Stripe webhooks verify signatures before processing. Plan limits are enforced server-side, not just in the UI.