Features

Tokenization, keys, access control, audit, and compliance in one API

Twelve feature areas with the same capabilities on every plan, including free. Pick a category below, jump to compliance evidence, or grab an SDK.

Vaults & data isolation

Separate vaults for PII, PHI, PCI, and credentials with field-level schemas.

Purpose-built vault types

Dedicated vaults for PII, PHI, PCI, and credentials with default field schemas and retention rules per type.

Logical & physical tenancy

Choose shared infrastructure, a dedicated environment, or a mix, with the same API either way.

Field-level schemas

Declare sensitive fields, tokenization rules, and redaction for analytics.

Data residency

Pin vaults to US, EU, UK, Canada, or APAC. Replicas stay in-region.

Workspace-scoped policies

Set access rules at the workspace level, override them per vault, then per field.

Encryption & key management

AES-256-GCM, envelope encryption, BYOK, and HYOK for regulated workloads.

AES-256-GCM at rest, TLS 1.3 in transit

Audited libraries, no plaintext fallbacks. Keys rotated automatically.

Customer-managed keys (BYOK)

Bring keys from AWS KMS, GCP KMS, Azure Key Vault, or HashiCorp Vault.

Hold-your-own-key (HYOK)

Master key stays in your HSM. Without your approval, data stays encrypted.

Envelope encryption per record

Unique data key per record, wrapped by your master key.

Scheduled & event-driven rotation

Rotate on schedule, after offboarding, or on compromise suspicion. Zero downtime.

Tokenization & detokenization

Your app stores tokens; plaintext stays in the vault until a policy allows detokenization.

Format-preserving tokens

Tokens look like cards, SSNs, or emails so legacy systems keep working.

Reversible & irreversible modes

Reversible tokens for transactions that need the original value back; irreversible tokens for analytics where lookup is not allowed. You choose per field in policy.

Detokenization at the edge

Release plaintext only where it is needed: payment gateway, clinician app, or support console.

Access control & policies

Role-based and attribute-based rules, time-limited elevation, multi-approver actions, and documented emergency access.

Role-based access control

Built-in roles for engineers, support, finance, auditors, and admins.

Attribute-based policies

Conditions on time, IP, MFA strength, request purpose, or custom claims.

Just-in-time access

Elevated access for a window with reason. Logged and auto-expiring.

Audit & observability

Tamper-evident logs and real-time export to the tools your security team already runs.

Tamper-evident audit log

Append-only, hash-chained log of reads, writes, key ops, and policy changes.

SIEM & warehouse export

Stream to Splunk, Datadog, Snowflake, or BigQuery in real time.

Live access analytics

Watch detokenization volume, policy denials, and anomalous access as it happens.

Featured

Compliance & audit evidence

Turn raw audit activity into reviewer-ready evidence. Sign off on sensitive access, map events to frameworks, and prove control coverage on demand.

Compliance review queue

Flag, assign, and sign off on sensitive-access events with a four-eyes approval workflow.

Framework-mapped evidence packs

Export audit trails mapped to SOC 2, HIPAA, GDPR, and ISO 27001 control questions.

Tamper-evident chain of custody

Every reviewed event keeps its hash-chained proof, so evidence holds up under scrutiny.

Retention windows & legal hold

Configure per-vault retention and place legal holds that block erasure until released.

DPA ready, BAA in progress

GDPR DPA available on supported plans, with sub-processor disclosure. HIPAA BAA in progress.

Auditor-friendly exports

Hand auditors scoped, time-boxed exports without giving them production access.

Privacy operations

DSAR, retention, and consent workflows in one place.

Subject access in a single query

One subject ID, every vault, every record. No engineering tickets per DSAR.

Right to erasure

Cryptographic shredding of data keys. Records become unrecoverable.

Consent capture & enforcement

Withdraw consent and downstream services lose detokenization access.

Developer platform

REST/gRPC APIs, typed SDKs, a drop-in proxy, and webhooks — wired to your stack in an afternoon.

REST & gRPC APIs

Versioned API with idempotent writes, consistent errors, and webhooks.

Typed SDKs

Node, Python, Go, Java, Ruby, and .NET with typed request and response objects.

Drop-in PII proxy

Route existing services through PIIsafe with zero code changes.

Framework adapters

First-class helpers for Next.js, NestJS, FastAPI, Spring, Rails, and ASP.NET.

First-party SDKs & CLI

Client libraries generated from a single OpenAPI 3.1 contract, with typed models, automatic retries, cursor pagination, and typed errors. TypeScript, Python, and a CLI are available today; Go is next.

TypeScript / Node

Alpha

Typed client with ESM + CJS builds, retries, and cursor pagination.

npm install @orthoplex-solutions/vaulto-sdk

Python

Alpha

Sync and async clients with full type hints and typed errors.

pip install vaulto-sdk

CLI

Alpha

Manage workspaces, tables, and rows from your shell and CI pipelines.

npm i -g @orthoplex-solutions/vaulto-cli

Go

Planned

Idiomatic Go client generated from the same API contract.

// coming in phase 2

Integrations

Cloud KMS, identity providers, data warehouses, and payment processors.

Cloud & infrastructure

AWS, GCP, Azure, HashiCorp Vault, Kubernetes.

Identity & access

Okta, Auth0, Azure AD, OneLogin, SAML 2.0, OIDC, SCIM.

Data & analytics

Snowflake, Databricks, BigQuery, Redshift.

Payments & fintech

Stripe, Adyen, Plaid, Braintree, Checkout.com, Worldpay.

AI & sensitive workloads

Keep customer data out of training sets, prompts, and inference logs.

De-identification before training

Stable tokens replace names and IDs before fine-tuning jobs.

Prompt-time redaction

Scrub PII from prompts before third-party models. Reinsert on response.

Inference-time access control

The same access policies that gate vault reads also control which model outputs can include detokenized fields.

Reliability & operations

Multi-AZ uptime, region-pinned DR, status page, and change disclosure.

99.99% target availability

Multi-AZ active-active for cryptographic operations.

Region-pinned redundancy

Replicas and backups stay inside the region you chose.

Status page and incident reports

Public uptime dashboard and published write-ups after outages or security events.

Included on every workspace, including free

Customer-managed keys, audit streaming, and region pinning are included on the free plan, not reserved for enterprise tiers.

Customer-managed keysIncluded
Audit log streamingIncluded
Multi-sig sensitive operationsIncluded
Region pinningIncluded
Compliance evidence packsIncluded
Per-seat chargesNever

Get in touch

Start with 100 protected records

Create a vault, tokenize your first field, and wire audit logging before you talk to sales.