Features
Tokenization, keys, access control, audit, and compliance in one API
Twelve feature areas with the same capabilities on every plan, including free. Pick a category below, jump to compliance evidence, or grab an SDK.
Vaults & data isolation
Separate vaults for PII, PHI, PCI, and credentials with field-level schemas.
Purpose-built vault types
Dedicated vaults for PII, PHI, PCI, and credentials with default field schemas and retention rules per type.
Logical & physical tenancy
Choose shared infrastructure, a dedicated environment, or a mix, with the same API either way.
Field-level schemas
Declare sensitive fields, tokenization rules, and redaction for analytics.
Data residency
Pin vaults to US, EU, UK, Canada, or APAC. Replicas stay in-region.
Workspace-scoped policies
Set access rules at the workspace level, override them per vault, then per field.
Encryption & key management
AES-256-GCM, envelope encryption, BYOK, and HYOK for regulated workloads.
AES-256-GCM at rest, TLS 1.3 in transit
Audited libraries, no plaintext fallbacks. Keys rotated automatically.
Customer-managed keys (BYOK)
Bring keys from AWS KMS, GCP KMS, Azure Key Vault, or HashiCorp Vault.
Hold-your-own-key (HYOK)
Master key stays in your HSM. Without your approval, data stays encrypted.
Envelope encryption per record
Unique data key per record, wrapped by your master key.
Scheduled & event-driven rotation
Rotate on schedule, after offboarding, or on compromise suspicion. Zero downtime.
Tokenization & detokenization
Your app stores tokens; plaintext stays in the vault until a policy allows detokenization.
Format-preserving tokens
Tokens look like cards, SSNs, or emails so legacy systems keep working.
Reversible & irreversible modes
Reversible tokens for transactions that need the original value back; irreversible tokens for analytics where lookup is not allowed. You choose per field in policy.
Detokenization at the edge
Release plaintext only where it is needed: payment gateway, clinician app, or support console.
Access control & policies
Role-based and attribute-based rules, time-limited elevation, multi-approver actions, and documented emergency access.
Role-based access control
Built-in roles for engineers, support, finance, auditors, and admins.
Attribute-based policies
Conditions on time, IP, MFA strength, request purpose, or custom claims.
Just-in-time access
Elevated access for a window with reason. Logged and auto-expiring.
Audit & observability
Tamper-evident logs and real-time export to the tools your security team already runs.
Tamper-evident audit log
Append-only, hash-chained log of reads, writes, key ops, and policy changes.
SIEM & warehouse export
Stream to Splunk, Datadog, Snowflake, or BigQuery in real time.
Live access analytics
Watch detokenization volume, policy denials, and anomalous access as it happens.
Featured
Compliance & audit evidence
Turn raw audit activity into reviewer-ready evidence. Sign off on sensitive access, map events to frameworks, and prove control coverage on demand.
Compliance review queue
Flag, assign, and sign off on sensitive-access events with a four-eyes approval workflow.
Framework-mapped evidence packs
Export audit trails mapped to SOC 2, HIPAA, GDPR, and ISO 27001 control questions.
Tamper-evident chain of custody
Every reviewed event keeps its hash-chained proof, so evidence holds up under scrutiny.
Retention windows & legal hold
Configure per-vault retention and place legal holds that block erasure until released.
DPA ready, BAA in progress
GDPR DPA available on supported plans, with sub-processor disclosure. HIPAA BAA in progress.
Auditor-friendly exports
Hand auditors scoped, time-boxed exports without giving them production access.
Privacy operations
DSAR, retention, and consent workflows in one place.
Subject access in a single query
One subject ID, every vault, every record. No engineering tickets per DSAR.
Right to erasure
Cryptographic shredding of data keys. Records become unrecoverable.
Consent capture & enforcement
Withdraw consent and downstream services lose detokenization access.
Developer platform
REST/gRPC APIs, typed SDKs, a drop-in proxy, and webhooks — wired to your stack in an afternoon.
REST & gRPC APIs
Versioned API with idempotent writes, consistent errors, and webhooks.
Typed SDKs
Node, Python, Go, Java, Ruby, and .NET with typed request and response objects.
Drop-in PII proxy
Route existing services through PIIsafe with zero code changes.
Framework adapters
First-class helpers for Next.js, NestJS, FastAPI, Spring, Rails, and ASP.NET.
First-party SDKs & CLI
Client libraries generated from a single OpenAPI 3.1 contract, with typed models, automatic retries, cursor pagination, and typed errors. TypeScript, Python, and a CLI are available today; Go is next.
TypeScript / Node
AlphaTyped client with ESM + CJS builds, retries, and cursor pagination.
npm install @orthoplex-solutions/vaulto-sdkPython
AlphaSync and async clients with full type hints and typed errors.
pip install vaulto-sdkCLI
AlphaManage workspaces, tables, and rows from your shell and CI pipelines.
npm i -g @orthoplex-solutions/vaulto-cliGo
PlannedIdiomatic Go client generated from the same API contract.
// coming in phase 2Integrations
Cloud KMS, identity providers, data warehouses, and payment processors.
Cloud & infrastructure
AWS, GCP, Azure, HashiCorp Vault, Kubernetes.
Identity & access
Okta, Auth0, Azure AD, OneLogin, SAML 2.0, OIDC, SCIM.
Data & analytics
Snowflake, Databricks, BigQuery, Redshift.
Payments & fintech
Stripe, Adyen, Plaid, Braintree, Checkout.com, Worldpay.
AI & sensitive workloads
Keep customer data out of training sets, prompts, and inference logs.
De-identification before training
Stable tokens replace names and IDs before fine-tuning jobs.
Prompt-time redaction
Scrub PII from prompts before third-party models. Reinsert on response.
Inference-time access control
The same access policies that gate vault reads also control which model outputs can include detokenized fields.
Reliability & operations
Multi-AZ uptime, region-pinned DR, status page, and change disclosure.
99.99% target availability
Multi-AZ active-active for cryptographic operations.
Region-pinned redundancy
Replicas and backups stay inside the region you chose.
Status page and incident reports
Public uptime dashboard and published write-ups after outages or security events.
Included on every workspace, including free
Customer-managed keys, audit streaming, and region pinning are included on the free plan, not reserved for enterprise tiers.
Get in touch
Start with 100 protected records
Create a vault, tokenize your first field, and wire audit logging before you talk to sales.