Data Processing Addendum

AES-256-GCM ZERO-KNOWLEDGE CLIENT-SIDE ONLY

⚠️ Important Architectural Note — Limited Processor Role

Because all encryption occurs entirely within the user's browser using AES-256-GCM before any data is transmitted to The Sealed Vault's infrastructure, The Sealed Vault's technical role as a "Data Processor" under GDPR is significantly limited to storing encrypted ciphertext only.

The Sealed Vault has no technical ability to access, read, modify, or process the plaintext Personal Data contained within vaults. This zero-knowledge architecture materially reduces The Sealed Vault's exposure under GDPR's "Risk to Rights and Freedoms" assessment, as the Service cannot constitute a meaningful risk to the fundamental rights of data subjects with respect to vault contents. All Personal Data within vaults remains under the exclusive cryptographic control of the Controller at all times.

Data Processing Addendum · The Sealed Vault LLC · Version 2.0 GDPR · CCPA · SCC Compliant

Scope and Applicability
Roles of the Parties
Technical and Organisational Measures
International Data Transfers
Data Subject Rights
Personal Data Breach Notification
Google Firebase Sub-Processor DPA
Contact

1. Scope and Applicability

This Data Processing Addendum ("DPA") applies where and only to the extent that The Sealed Vault LLC ("The Sealed Vault") processes "Personal Data" that is subject to the General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act ("CCPA"), or other applicable data protection legislation. This Addendum is incorporated into and forms part of the Terms of Service and Privacy Policy of The Sealed Vault, both available at https://sealed-vault.com.

2. Roles of the Parties

Customer as Controller: The user acts as the "Data Controller" for all Personal Data stored within their vaults. The user determines the purpose and means of processing their Personal Data.

The Sealed Vault as Processor (Limited): The Service acts as a "Data Processor" in the limited technical capacity of providing encrypted ciphertext storage. As noted above, because encryption occurs client-side before data reaches The Sealed Vault's infrastructure, The Sealed Vault processes only encrypted ciphertext and has no ability to access the underlying Personal Data.

Sub-processors: The Sealed Vault utilises Google Firebase as its primary sub-processor for authentication, database and storage services. Google's processing is governed by Google's own Cloud Data Processing Addendum, available at: https://cloud.google.com/terms/data-processing-addendum

3. Technical and Organisational Measures

The Service implements the following technical and organisational measures to ensure a level of security appropriate to the risk:

Client-Side Encryption: All vault contents are encrypted with AES-256-GCM entirely within the user's browser before reaching any server. No plaintext Personal Data ever leaves the user's device.
Key Derivation: PBKDF2 with SHA-256 and 200,000 iterations ensures that The Sealed Vault cannot decrypt stored ciphertext — even under compulsion.
Zero-Knowledge Architecture: The Sealed Vault has no cryptographic keys and cannot access vault contents. This is architectural, not merely a policy commitment.
Emergency Override Hashing: Emergency recovery answers are stored only as SHA-256 hashes. The plaintext answer is never transmitted or stored.
Access Control: Data is restricted via Firebase Security Rules and is only accessible by the authenticated account holder.
Transport Security: All data in transit is protected by HTTPS/TLS encryption.
Firebase App Check: Prevents unauthorised API access and billing abuse.

4. International Data Transfers

Storage Location: Data is primarily stored in the us-central (Iowa, USA) region via Google Firebase.

Transfer Mechanism: Transfers of Personal Data from the EEA or UK to the United States are governed by the Standard Contractual Clauses (SCCs) as adopted by the European Commission.

Sub-processor Compliance: The Sealed Vault relies on Google's Cloud Data Processing Addendum and SCCs for infrastructure-level compliance. Google's DPA is available at: https://cloud.google.com/terms/data-processing-addendum

Reduced Transfer Risk: Because vault contents are encrypted client-side before transfer and The Sealed Vault holds no decryption keys, the practical risk to data subjects from international transfers of vault ciphertext is materially lower than for transfers of plaintext Personal Data.

5. Data Subject Rights

The Sealed Vault shall assist the Controller in fulfilling requests from data subjects (EU/UK users) regarding:

Right of Access and Portability: Providing a copy of account metadata and encrypted vault data in a machine-readable format.
Right to Erasure: Deleting all account data and vault contents within 30 days of a valid erasure request or account closure.
Right to Rectification: Correcting inaccurate account metadata held by The Sealed Vault.

Important Limitation: Because the Service operates on a zero-knowledge basis and cannot decrypt vault contents, The Sealed Vault cannot provide plaintext copies of the Personal Data contained within vaults to the user or any third party — including law enforcement or regulatory bodies. Only the vault owner, using their passphrase, can access vault contents.

This limitation further reduces The Sealed Vault's liability under GDPR's "Risk to Rights and Freedoms" framework, as the Service is technically incapable of enabling unauthorised access to the Personal Data within vaults.

6. Personal Data Breach Notification

In the event of a security breach affecting Personal Data, The Sealed Vault will notify the Controller and relevant supervisory authorities within 72 hours of discovery, as required by GDPR Article 33.

In the event of a breach of The Sealed Vault's infrastructure, the practical impact is expected to be limited. Because all vault contents are stored as AES-256-GCM encrypted ciphertext and The Sealed Vault holds no decryption keys, any breach would expose only encrypted data that is computationally infeasible to decrypt without the user's passphrase.

7. Google Firebase Sub-Processor DPA

As The Sealed Vault's infrastructure relies entirely on Google Firebase, Google acts as the primary sub-processor. Google's own Cloud Data Processing Addendum — which includes Standard Contractual Clauses for international data transfers — governs Google's processing obligations.

Google Cloud Data Processing Addendum (DPA):

https://cloud.google.com/terms/data-processing-addendum

Users and Controllers are advised to review Google's DPA directly. By using The Sealed Vault, you acknowledge that your encrypted data is stored on Google Firebase infrastructure subject to Google's DPA and Standard Contractual Clauses.

8. Contact

For all data protection and privacy enquiries, contact:

The Sealed Vault LLC — Data Protection Officer

Email: contact@sealed-vault.com

Website: https://sealed-vault.com

DPA Page: https://sealed-vault.com/dpa

Data Processing Addendum · The Sealed Vault LLC · Effective April 26, 2026 · https://sealed-vault.com

⚠️ Important Architectural Note — Limited Processor Role

Table of Contents

1. Scope and Applicability

2. Roles of the Parties

3. Technical and Organisational Measures

4. International Data Transfers

5. Data Subject Rights

6. Personal Data Breach Notification

7. Google Firebase Sub-Processor DPA

8. Contact

We use cookies

🔐 Cookie Preferences

Essential Cookies Always Active

Analytics Cookies

Functional Cookies