Security

Sept was built on three pillars: performance, privacy, and security.

• We provision a unique application for each account: the subdomain, database instance, and encryption keys are per-customer. The subdomain received as part of your subscription is unique to your account.
• All traffic is encrypted end-to-end and protected by Cloudflare®.
• The connection between the CLI and the server is done over TLS.
• All the information that travels between the CLI and the server is also encrypted at different levels.
• Sept only knows users by their public keys and has no other information to recover, restore or reset access to a user if they have lost their private keys.
• Manifests (groups of variables) are simple UUID references. Sept does not know if one manifest represents a staging or production environment of your application.
• Both manifests and public keys are used to build a Role-Based Access Control solution that allows supervisors, editors and viewers to access secrets stored in different manifests.
• Sept only has access to the names of the keys in each key/value pair as this is used for quick key lookups. It has no mechanism to access their associated values.
• All values in each key/value pair are encrypted client-side: when a user creates, updates or deletes a key/value pair, the value is encrypted for each of the users with access to the associated manifest. Sept has no means of decrypting those values.

Make sure you read our Privacy Policy.