Skip to content

Security Model

VaultStream's security model is built on zero-knowledge encryption combined with per-session access control. This document summarizes the cryptographic guarantees and their operational implications.

Core Guarantees

  1. CYFR cannot access plaintext content — All content is encrypted client-side before upload. Encryption keys are generated and held by the customer. CYFR infrastructure stores only ciphertext.

  2. Per-session key isolation — Every playback session negotiates a unique key. Compromise of one session's key does not compromise any other session or the underlying content key.

  3. Revocation is cryptographic, not administrative — When access is revoked, the key server stops issuing decryption keys. Existing sessions expire within 60 seconds. There is no "eventual consistency" window.

  4. Immutability of audit records — All access events are logged to an append-only ledger. Records cannot be modified or deleted. Tampering is detectable.

Encryption Chain

Content Key (AES-128)
    ↓ wrapped with
Session Key (per-viewer)
    ↓ delivered via
Signed URL (temporary, non-reusable)
    ↓ authorized by
JWT / API Token (revocable)

What We Can Produce Under Subpoena

Due to zero-knowledge architecture, CYFR can produce:

  • Account metadata (creation date, email, billing records)
  • Access logs (timestamps, IP addresses, content references)
  • Encrypted content (ciphertext — not useful without customer keys)

CYFR cannot produce:

  • Plaintext content
  • Decryption keys
  • Information about content we have never seen unencrypted

See our DMCA Policy for the legal framework.