Lockzero exists to reduce credential risk, not create it. Here’s exactly how we protect your secrets.
Military-grade authenticated encryption for every stored credential.
Secrets are masked by default and never appear in application logs.
Tamper-evident audit log chaining every event to the one before it.
Every credential stored in Lockzero is encrypted before it ever touches a disk. Data moving between your app and our API is equally protected.
We use envelope encryption so that each secret has its own data encryption key (DEK), which is itself wrapped by a master key — limiting the blast radius of any single key compromise.
Fine-grained permissions ensure that the right people can access the right secrets — and nobody else. Every access path is authenticated, scoped, and revocable.
CMMC-aligned: account lockout, 12-char password policy, password history (12 past hashes blocked), 30-min idle session timeout, TOTP MFA, and step-up re-auth gates on sensitive operations.
Every action on every secret is permanently recorded. Know who did what, when, and from where — with tamper-evident logs you can export to your SIEM.
Our hash-chain design means any retroactive modification to an audit record breaks the chain, giving you confidence that the log reflects exactly what happened.
Built on hardened AWS infrastructure with redundancy, network isolation, and proactive monitoring — so your secrets are always there when your apps need them.
We publish our status in real time and commit to notifying affected customers within 24 hours of any confirmed incident.
Found a vulnerability? We want to hear from you. Report responsibly and we’ll respond quickly.
security@lockzero.ioWe do not currently offer a bug bounty, but we take all reports seriously and will acknowledge receipt within 48 hours.
We’re building toward the certifications your security team expects. Full control matrix at lockzero.io/compliance.
All 17 FAR 52.204-21 practices implemented. CMMC Level 2 key controls (IA, AC, SC families) also implemented. Full control matrix available on request.
Continuous 6-month observation window underway. Controls mapped to AICPA Trust Services Criteria. Report available to Enterprise customers on NDA.
Independent third-party penetration test on an annual cadence. Results summarized in the SOC 2 package.
Stop exposing secrets in environment variables, CI files, Slack messages, and SDK boilerplate. Lockzero keeps them encrypted, governs how they're used at runtime, and audits every call — across OpenAI, Anthropic, Bedrock, Stripe, and 60+ providers.