Security Architecture

Zero-knowledge is not a policy — it is a property of the system. CYFR's architecture ensures we have no technical ability to access, inspect, or decrypt customer data.

Encryption

All data is encrypted with AES-256-GCM before it leaves the client environment. Encryption keys are generated and held exclusively by the customer. CYFR servers never possess plaintext keys or unencrypted data.

Key Management

Key ceremonies are performed in the customer's environment using hardware security modules. Our infrastructure facilitates key operations without ever storing key material. Key rotation is automated and customer-controlled.

Data in Transit

TLS 1.3 with perfect forward secrecy protects all data in transit. Each session negotiates ephemeral keys independently. Compromise of one session does not compromise any other.

Authentication & Multi-Factor Security

All CYFR products support multi-factor authentication. Every user account — whether an enterprise administrator, an MSP partner, or an end viewer accessing shared content — can be protected by multiple authentication factors. We support the full range of modern second-factor strategies, from software-based TOTP to hardware security keys.

TOTP (Time-Based One-Time Passwords)

Standard RFC 6238 TOTP with 6-digit codes and 30-second windows. Compatible with Google Authenticator, Authy, 1Password, Bitwarden, and any standards-compliant authenticator application. TOTP secrets are generated per-user and stored encrypted at rest. Users can enroll multiple authenticator devices. Recovery codes are provided during enrollment — single-use, 10 codes per enrollment.

FIDO2 / WebAuthn Security Keys

Hardware-backed authentication using FIDO2 and WebAuthn standards. Support for YubiKey 5 Series, YubiKey Bio, Google Titan, Feitian, and any FIDO2-certified security key. U2F backward compatibility for older keys. Resident key (discoverable credential) support for passwordless login workflows. Enterprise attestation for managed key deployments.

YubiKey OTP & PIV

YubiKey OTP mode for one-touch second-factor authentication — plug the key, tap the button, and a one-time code is sent and validated against YubiCloud or an on-premises validation server. PIV (Personal Identity Verification) smart card mode for organizations using YubiKeys as employee identity tokens with X.509 certificates.

Passkeys

FIDO2 multi-device credentials (passkeys) for passwordless authentication. Sync across devices via platform keychains (iCloud Keychain, Google Password Manager). Phishing-resistant by design — credentials are bound to the originating domain. Biometric user verification (Touch ID, Face ID, Windows Hello) required for each authentication.

Enforcement Policies

Organizations can configure granular MFA policies:

Recovery & Backup

Per-Session Access Architecture

Every file access generates a unique, cryptographically signed URL tied to the authenticated user's session. This enables precise access auditing, granular revocation, and anomaly detection — without exposing customer data to CYFR. These URLs embed a non-reversible session identifier.

Access Auditing

Immutable append-only logs record every access event. Organizations receive weekly audit summaries. All logs are customer-accessible via API and SIEM integration.

Revocation

Individual URLs can be revoked in real time. Bulk revocation by user, time window, or content identifier. Revocation takes effect within 60 seconds globally.

Anomaly Detection

Automated monitoring detects unusual access patterns — geographic anomalies, velocity spikes, and credential sharing. Alerts configurable per organization.

Compliance & Auditing

Infrastructure Security

Layer Control Detail
Physical Tier III+ data centers Biometric access, 24/7 guards, redundant power and cooling
Network DDoS protection, WAF, IDS/IPS Multi-layer filtering, rate limiting, threat intelligence feeds
Host Hardened Linux, SELinux enforcing Immutable infrastructure, automated patching, kernel hardening
Application OWASP Top 10 mitigation SAST/DAST in CI/CD, dependency scanning, manual code review
Data Customer-siloed, encrypted at rest Per-customer encryption keys, no shared storage tenancy

Report a Security Issue

If you believe you have discovered a vulnerability, contact security@cyfr.technology. We participate in responsible disclosure and respond within 48 hours.

Documentation: docs.cyfr.technology  ·  Compliance: compliance overview  ·  Try the demos: Vault · VaultStream