Protecting customer
In the wrong hands, third-party access keys can expose your customers to data loss and damages.
Problem
Traditional secrets managers weren't designed for storing customer keys!
KMS, SSM and encrypted columns won't keep your keys safe against attackers, employees, bugs and backups. They were designed for storing production secrets and enable attackers to steal customer secrets from compromised web apps. They cost a lot, too.
Does your threat model Assume Breach?
Our solution is secure by design and keeps customer secrets protected — even in the event of a breach. Leveraging HSM-like isolation and zero trust primitives.
Solution
Piiano Vault: The most secure way to store and use customer keys
Vault is a data protection software service designed for developers and AppSec teams to manage and protect customer keys and data in applications.
Benefits
Derisk
Eliminate the exposure of your keys.
Vault
Leverage pre-built infrastructure.
Time
Save development resources.
Pricing
Pay affordable prices.
How it works
Designed by security experts to mitigate key dumping
Audit
Keys activity is recorded — you always know what's happening.
Encrypt
Keys are stored using strong encryption and anti-tampering technology.
Secure by design
Keys can be accessed in your web app using JWT verification.
Vault the keys
Keys are secured against mass dumping by using Vault's granular access controls.
Protect keys in use
Keys remain protected by our API-proxy — without exposing them further to web apps.
Reduce key exposure
Keys can be collected securely and used one-way to access services, minimizing web app scope.
Secure key usage lifecycle
Securely collect and use keys however you want
Vault provides security primitives to reduce exposure.
Choose to collect keys to Vault first or to your back end. Use our API proxy to make secure API requests to third party services.
Collect keys securely
Use Vault's secure, client-side APIs to collect and store keys directly in Vault.
Access services securely
Use Vault's API proxy to inject customer keys into API requests to access third party services.
Refresh tokens
Use Vault's API proxy to enroll a short-lived refresh key, and never expose the access key itself.
Feature comparison
strategies
in DB
managers
vault
User-friendly interface (e.g. APIs) for accessing the secrets.
Supports high volumes of requests efficiently.
Cost-effectively supports a large volume of secrets.
Make sure secrets are encrypted and protected.
Transparent and secure management of encryption keys and rotations.
Comprehensive logs detailing who accessed what data, when, and why.
Quickly restores services and data after disruptions.
Unified governance over secrets across systems and applications.
Ability to easily define access on a need-only basis with precise granularity.
Allows partial data access, such as revealing only the last few digits.
Automatically purges unnecessary data to uphold data minimization principles.
Prevents accidental usage of other users’ secrets.
Supporting retention periods, right to be forgotten requests, etc.
Understanding and logging the reason for secret access.
Ensures that secrets are never exposed.