Trust & Security
Security isn't a feature. It's our foundation.
For Individuals
Your vault is yours alone. Here's how we protect it.
Encrypted at Rest
Server vault data lives in PostgreSQL on LUKS-encrypted volumes (AES-256-XTS); the Android local cache uses SQLCipher 4.5.4 with transparent 256-bit AES encryption. Off-site database backups are encrypted at rest with a customer-managed AES-256 key (SSE-C) — our storage provider holds the ciphertext but cannot decrypt without the key we supply on every request.
Encrypted in Transit
All API traffic over TLS 1.3. The api.boxowl.me subdomain enforces HTTPS with no downgrade paths.
End-to-End Encryption for Sensitive Categories
Payment methods (full card numbers, account numbers) and secure notes are end-to-end encrypted on your device with a key derived from your credentials. BoxOwl servers store only ciphertext for these categories and cannot read them. Other vault categories — identity, addresses, emails, work history, etc. — are encrypted at rest and in transit but are server-readable so they can power autofill, public profiles, and PDaaS APIs you authorize. See Payment Methods (E2EE) for the cipher, KDF, and PCI-scope details.
Privacy by Default
You are the controller of your data; BoxOwl operates the vault on your behalf. No third-party analytics with tracking cookies. No data is sold or shared. Every public-profile field is private by default — visibility is opt-in per field.
Bound Trust Triangle
Identity, payment method, and address are bound at the vault layer. At checkout, BoxOwl can attest to merchants that the {cardholder, card, ship-to} triple is one you recognize — without ever revealing your identity or address. A stolen card cannot be shipped to an attacker. Gift and holiday shipping are first-class: tag by relationship (self / household / family / friend / colleague / gift recipient / one-time), batch the holiday season, auto-revoke when it's over.
For Organizations
PDaaS infrastructure designed for multi-tenant compliance and auditability.
Multi-Tenant Isolation
Row-level data isolation with typed IDs. Each customer vault is scoped independently. No cross-tenant data leakage possible.
API Key Security
Scoped keys per environment with fine-grained permission grants. Keys are hashed at rest. Rotate without downtime.
Audit Trail
Every vault read, write, and delete is logged with actor, timestamp, IP, and key ID. Exportable for compliance audits.
Open Architecture
Auth flow, vault model, and PDaaS surface are documented in the public wiki and docs. Report a vulnerability via the Contact Security section below.
Compliance
BoxOwl is built around a single legal premise: you are the controller of your personal data. BoxOwl LLC (Colorado, US) operates the vault as a service to you. Apps you connect are processors of your data under per-field scoped consent that you grant and can revoke at any time. BoxOwl is not a data broker, not an identity provider, and not your representative to third parties. For the full framing, see the Privacy Policy and Terms of Service.
BoxOwl is built for US-first compliance:
- CCPA / CPRA — As operator of the vault, BoxOwl supports your right to know, delete, and opt out via export and erasure endpoints; the data is yours, and the controls reflect that.
Contact Security
Report vulnerabilities to support@boxowl.me. We follow coordinated disclosure and respond within 48 hours. Machine-readable contact + policy at /.well-known/security.txt (RFC 9116).
Built on trust. Ready to use.
BoxOwl is in private beta. A registration token is required to create an account.