Security

Private finance records need protection without pretending MyVaultOS holds the money.

MyVaultOS is non-custodial software. Users and selected providers execute money movement, while MyVaultOS protects the workspace records that support payment files, approvals, evidence, funding packs, protected instruments and exports.

Custody model: No customer funds or seed phrases held
Storage model: Targeted encryption at rest for sensitive workflow records
Access model: Authenticated workspace access with scoped records
Support: [email protected]

Non-custodial by design

MyVaultOS records payment files, approvals, evidence and provider references. It does not hold customer funds, seed phrases, private keys or recovery words.

Encryption at rest

Sensitive workflow records are encrypted before storage, including funding request packs, protected-instrument workflows and letter-of-credit workflow records.

Per-organisation key separation

Sensitive workspace metadata is encrypted with organisation-scoped data keys derived from the service encryption key, so workspaces are separated at the encryption layer.

Search-safe summaries

Operational routing fields and count summaries stay separate from encrypted records so the workspace can still search, reconcile and export without exposing full sensitive payloads in plain storage.

Role and support controls

Workspace access, support activity and connected-agent credentials are scoped and logged. Support will not request wallet recovery material or provider passwords.

Provider separation

Third-party payment, wallet, card, funding, KYC/KYB and cash-out providers operate under their own security controls, terms and support processes.

Encrypted recordsWorkflow payloads, not every index

Sensitive workflow arrays are encrypted before database storage. Plain indexes are kept narrow so the app can still route files and show counts.

App accessDecrypted after sign-in

Authorised API reads decrypt the relevant records so users can review, export and reconcile their own workspace data.

Key handlingStable service key required

The encryption key must be backed up securely. Losing it would make encrypted workflow records unreadable.

What MyVaultOS protects

MyVaultOS stores business records that users need to operate payment workflows: payment files, supplier evidence, route choices, provider references, funding request packs, protected-instrument records, LC application workflows, approvals, receipts, support tickets and export records.

Encrypted workflow records

The system encrypts sensitive workflow metadata before it is stored. Current encrypted record groups include:

Third-party funding request packs and provider response records
Partner-led LC application workflow records
Protected documentary payment and performance-security workflow records
Provider references held inside sensitive workflow payloads
Repayment, disbursement and servicing evidence inside funding workflows

Why some fields remain readable

MyVaultOS keeps limited non-sensitive indexes and summaries in readable form so the product can list files, route users to the right workflow, show counts, run exports and support reconciliation. The full sensitive payload remains encrypted at rest.

Non-custodial boundary

MyVaultOS does not receive, hold, pool, transmit, exchange, lend, invest or guarantee customer funds. It does not store private keys, seed phrases, wallet recovery words or provider passwords. Users and their selected providers remain responsible for custody, signing, KYC/KYB, payment execution and provider support.

Funding and trade-finance records

Funding request packs, provider response records and LC application workflows are stored as software records and evidence packages. MyVaultOS does not provide credit advice, recommend lenders, issue funding terms, originate loans, issue letters of credit or take credit risk.

Account access

Users should use strong passwords, protect email access, keep provider accounts secure and only invite trusted workspace members. Connected agents use scoped credentials and cannot move money, change billing or trigger provider handoffs without the relevant user and provider controls.

Security boundaries

Passwords are hashed, not encrypted, and are never stored in recoverable form.
MyVaultOS is not zero-knowledge software; authorised application services decrypt records after sign-in so workflows, exports and support can operate.
Customers should never upload seed phrases, private keys, recovery words or provider passwords.
No online service can guarantee absolute security, so access controls, backups, monitoring and user-side account protection all matter.

Questions or security concerns

Contact [email protected] with security, access, privacy or support concerns. Include the workspace, affected file and a short description of the issue where possible.

Read the privacy policy or review the terms.