Security & Encryption Model

FadeKey uses client-side encryption. All encryption and decryption operations happen locally in your web browser or CI environment using the Web Crypto API (AES-GCM-256). The decryption key is generated locally and appended to the URL fragment (the part after the '#' symbol). Because browsers never transmit the fragment to the server, the server stores only the encrypted ciphertext and has no mathematical way to read your secrets.

Secrets are stored temporarily in Redis. Once a secret is viewed and reaches its limit, or once its Time-To-Live (TTL) expires, the ciphertext is permanently deleted. To ensure absolute destruction, we do not perform backups of transient secrets. Once deleted, they are gone from memory and cannot be recovered.

FadeKey Cloud is hosted on enterprise-grade cloud infrastructure (AWS) located in the United States. All connections are encrypted via TLS 1.3 in transit. Our database architecture isolates relational user data (audit logs, user logins on Postgres) from ephemeral secret stores (Redis in-memory cache). Our cloud platform relies on AWS's 99.9% uptime SLA and managed security protocols.

In the event of a confirmed security incident affecting FadeKey Cloud services or databases, we will notify affected customers via email within 72 hours. Our incident response team conducts root-cause analysis and deploys patches immediately.

We welcome reports from security researchers. If you identify a vulnerability, please report it privately to security@fadekey.app. We commit to acknowledging reports within 24 hours and addressing validated issues within 30 days. We ask that you do not disclose issues publicly until we have resolved them.