Security

How CredClock keeps your data safe

The core principle: CredClock never stores your actual passwords, API keys, certificates, or any secret values. There are no secrets to steal — even in a worst-case breach scenario.

Vaultless Architecture

CredClock is fundamentally different from password managers. We are a tracking and notification layer, not a secrets vault. Our database contains only:

Credential labels (e.g., "AWS Prod API Key")
Credential types (password, API key, SSL cert, etc.)
Expiration dates and reminder preferences
Optional notes (users control what goes here)
Account and organization metadata

We do not store: actual passwords, API keys or tokens, SSL/TLS certificate private keys, SSH private keys, or any secret credential values.

Authentication & Access Control

Password hashing — Account passwords are hashed using scrypt (memory-hard KDF) with unique per-user salts
Password policy — Minimum 8 characters with uppercase, lowercase, and digit requirements
Session security — HTTP-only, SameSite cookies with secure flag. Sessions are regenerated on login to prevent fixation attacks
Rate limiting — Authentication endpoints are rate-limited to prevent brute force attacks
Email verification — All accounts require email verification before reminders are sent
CSRF protection — All state-changing requests are protected against cross-site request forgery

API Security

Token authentication — API tokens are hashed with SHA-256 and compared using constant-time algorithms to prevent timing attacks
Rate limiting — API endpoints are limited to 60 reads/minute and 30 writes/minute
Scoped access — Tokens are scoped to a specific organization and can be revoked instantly

Transport Security

TLS/SSL — All connections are encrypted via HTTPS (TLS 1.2+). HTTP requests are automatically redirected to HTTPS
Security headers — Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy headers are set on all responses
HSTS — HTTP Strict Transport Security is enforced via the web server

Infrastructure

PostgreSQL database with encrypted connections
Automated daily database backups with 14-day retention
Application deployed behind Nginx reverse proxy
Let's Encrypt SSL certificates with automatic renewal
Webhook URLs validated against SSRF (private/internal IP blocking)

Audit Logging

CredClock maintains a comprehensive audit log tracking 20+ action types including logins, credential changes, team management, and billing events. Each entry records the actor, action, IP address, user agent, and timestamp. Audit logs are available on Business and Enterprise plans.

Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. CredClock never sees, processes, or stores your credit card information.

Vulnerability Reporting

If you discover a security vulnerability in CredClock, please report it immediately to support@credclock.com. We take all reports seriously and will respond within 48 hours.

Questions

For security-related questions or concerns, contact support@credclock.com.