Security Model¶
VaultStream's security model is built on zero-knowledge encryption combined with per-session access control. This document summarizes the cryptographic guarantees and their operational implications.
Core Guarantees¶
-
CYFR cannot access plaintext content — All content is encrypted client-side before upload. Encryption keys are generated and held by the customer. CYFR infrastructure stores only ciphertext.
-
Per-session key isolation — Every playback session negotiates a unique key. Compromise of one session's key does not compromise any other session or the underlying content key.
-
Revocation is cryptographic, not administrative — When access is revoked, the key server stops issuing decryption keys. Existing sessions expire within 60 seconds. There is no "eventual consistency" window.
-
Immutability of audit records — All access events are logged to an append-only ledger. Records cannot be modified or deleted. Tampering is detectable.
Encryption Chain¶
Content Key (AES-128)
↓ wrapped with
Session Key (per-viewer)
↓ delivered via
Signed URL (temporary, non-reusable)
↓ authorized by
JWT / API Token (revocable)
What We Can Produce Under Subpoena¶
Due to zero-knowledge architecture, CYFR can produce:
- Account metadata (creation date, email, billing records)
- Access logs (timestamps, IP addresses, content references)
- Encrypted content (ciphertext — not useful without customer keys)
CYFR cannot produce:
- Plaintext content
- Decryption keys
- Information about content we have never seen unencrypted
See our DMCA Policy for the legal framework.