Our security model

Architecture at a glance

The diagram below shows how your devices, the browser extension, our API, and the database fit together in the end-to-end encryption model. Encryption and decryption always happen on your devices before anything reaches our servers.

Click to view larger

Tip: keep a copy of this diagram in internal docs to help teammates understand how Privacy Guardian's end-to-end encryption and zero-knowledge storage work.

Zero-knowledge design

Privacy Guardian is built as a zero-knowledge password manager. Your vault data is encrypted on your device before it is sent to our servers. The backend stores only ciphertext plus non-sensitive metadata (titles, folder IDs, timestamps).

• Client-side encryption: Encryption happens in the browser and extension, not on the server.
• No master password on the server: We never receive or store your master password or derived vault key.
• Encrypted at rest: Database rows for passwords, notes, WiFi keys, and OTP secrets contain only encrypted values.

For a deeper technical deep dive, see our technical documentation.

End-to-end encryption

Vault data is end-to-end encrypted using a key derived from your master password. The key is created on your device and kept in memory only for as long as your vault is unlocked.

• Key derivation: The client derives an encryption key using PBKDF2-HMAC-SHA-256 with a unique per-user salt and a high iteration count, making offline guessing significantly harder.
• Content encryption: Sensitive fields are encrypted with AES-256-GCM, using a fresh random IV (nonce) for every encryption operation.
• Integrity: AES-GCM provides an authentication tag; if ciphertext is modified, decryption fails instead of silently producing bad data.

Account & sign-in security

On top of encryption, Privacy Guardian includes features that help you keep accounts safe when you actually sign in to websites and apps.

• Strong password generation: Built-in generator creates long, random passwords and stores them directly in your vault.
• Overwatch security dashboard: Shows your overall security score, flags weak and reused passwords, and highlights sites where you can enable 2FA or passkeys.
• Built-in MFA / TOTP: Store and generate one-time codes alongside your passwords so you can use multi-factor authentication wherever it's available.
• Passkeys support: Save and manage passkeys so you can move away from passwords entirely on supported sites.

Breach monitoring & weak password detection

Privacy Guardian helps you understand where your credentials may already be exposed and where your passwords are too weak or reused.

• Breach checks: We integrate with public breach data sources to flag known compromised credentials and prompt you to change passwords.
• Password strength scoring: Each password gets a complexity score so you can quickly spot weak logins.
• Reuse detection: We use one-way hashes to detect when the same password is used across multiple sites without storing the plaintext password.

Browser extension & autofill

The Privacy Guardian browser extension brings your vault to Safari and Chrome so you can fill passwords securely without retyping them.

• Local unlocking: You unlock the extension with your master password or device biometrics; the decryption key lives only in the extension's memory.
• Safe autofill: The extension fills credentials only on the sites that match the URL you saved, helping to protect against phishing pages.
• No keystroke tracking: The extension only interacts with login forms when you explicitly ask it to save or fill a login.

What we do not claim (yet)

Today, Privacy Guardian does not advertise formal security certifications or third-party penetration test reports. This page describes the protections that are implemented in the product now, not aspirational features.

• No SOC 2, ISO 27001, or similar certifications are claimed.
• No public bug bounty or external audit program is currently in place.