Privacy Trust Center

Privacy Model

Privacy and security are distinct but deeply connected. ZeroAuth operates on the strict architectural constraint that metadata—including the identity of services you authenticate against—is sensitive information that must be protected.

01. Privacy Boundaries

Our architectural isolation model maps the local trust boundaries where raw secret keys are processed and stored.

Storage Isolation

Local Sandbox

Secrets and metadata kept strictly on your local device storage and ephemeral RAM.

Vault Seeds (TOTP / Passkeys)

Decrypted raw seed files exist strictly in ephemeral volatile memory (RAM) and are scrubbed immediately after code calculations.

Credential Metadata

Account descriptions, usernames, and organization tags are encrypted locally using AES-256 before writing to storage.

Cryptographic Keys

Master passwords and PINs derive encryption keys locked inside the device hardware Secure Enclave.

Data Minimization

Egress Barrier

Strict rules verifying that telemetry data is never harvested and network transmission is blocked.

App Usage & Telemetry

Zero telemetry endpoints integrated. The application does not contain SDKs like Firebase Analytics or Mixpanel.

Device & Identity Profiling

We never request location parameters, hardware identifiers, or network configuration details.

Network Egress

Authentication parameters are calculated offline. Zero network packets are sent during standard operations.

02. Operational Privacy

Our architectural designs eliminate dependency on persistent cloud connections, protecting your device lifecycle and user habits. Below is our formal operational routing.

Concept	Implementation Details	Privacy Advantage
Offline Operation100% OFFLINE	Performs all credential parsing, OTP calculations, and UI operations entirely on the local device without outbound socket requests.	Completely removes the network vector, preventing passive sniffing of authentication activities by ISPs, network nodes, or remote servers.
Backup TransportUSER-TRIGGERED	Vault data is encrypted locally with AES-256-GCM prior to being exported. Transfers are user-triggered and contain no unencrypted tokens.	Ensures that cloud-storage providers or third parties holding the backup file have zero plaintext visibility to your credential seeds.

Offline Operation

100% OFFLINE

Implementation Details

Performs all credential parsing, OTP calculations, and UI operations entirely on the local device without outbound socket requests.

Privacy Advantage:Completely removes the network vector, preventing passive sniffing of authentication activities by ISPs, network nodes, or remote servers.

Backup Transport

USER-TRIGGERED

Implementation Details

Vault data is encrypted locally with AES-256-GCM prior to being exported. Transfers are user-triggered and contain no unencrypted tokens.

Privacy Advantage:Ensures that cloud-storage providers or third parties holding the backup file have zero plaintext visibility to your credential seeds.

03. Enterprise Isolation

Compliance Boundaries

Sovereignty

Enterprise alignment with GDPR, HIPAA, and data sovereignty compliance guidelines.

GDPR, HIPAA, and Sovereignty Compliance

For organizations enforcing strict boundaries against outbound data egress, ZeroAuth provides perfect deployment isolation. The application operates in air-gapped zones without requiring external validation servers or third-party check-ins.

This local-first architecture satisfies compliance policies out-of-the-box, as metadata, user identities, and secrets never exit the enterprise-managed hardware boundary.

Privacy Advisory: Encryption Passphrases

Although ZeroAuth guarantees that backup files are fully encrypted before egressing your device, their ultimate privacy remains bound to the strength of your backup passphrase. Using a weak password reduces the brute-force cost to decrypt the vault if intercepted in a compromise of your cloud storage provider.