Every session passes five independent gates. All must open. Any one stops a breach.
how vaultpam works, by the numbers.
Five gates per session, five steps to onboard, one EU region, zero firewall changes. The same facts the animated diagrams told — flat, fast, and easy to verify.
The whole product in six numbers.
Operator onboarding — account to live session — in five steps, minutes not days.
The connector dials out only. No inbound ports, no firewall exceptions to request.
All data, recordings and vaults live in GCP europe-central2 (Warsaw). One region, no exits.
Credentials encrypted with AES-256-GCM at rest, behind TLS 1.3 in transit.
Every privileged session recorded and written to a tamper-evident, hash-chained ledger.
Five gates. All must open. Any one stops a breach.
Web application firewall
Gate 0 — WAF. Malformed and malicious traffic is dropped before it reaches the broker.
Multi-factor authentication
Gate 1 — MFA. Identity is proven with TOTP or FIDO2/WebAuthn before any target is named.
Role-based access control
Gate 2 — RBAC. The role decides which targets are even visible. No role, no path.
Credential injection
Gate 3 — Vault. Credentials are checked out just-in-time and injected at the protocol level — never shown to the user.
Session recording
Gate 4 — REC. The session is recorded end to end and signed into the audit chain.
Five steps, minutes not days.
Create account
An operator account is provisioned. No standing access is granted at this point.
Assign role
A role is attached. The role — not the person — defines the reachable targets.
Request access
The operator requests access to a specific target for a specific window.
Vault approves
The vault approves and checks out a time-limited, just-in-time credential.
Session starts
A recorded session opens. From create-account to live session takes under five minutes.
Outbound only. No firewall changes.
| Property | Behaviour | Value |
|---|---|---|
| Direction | Outbound only — the connector dials home | No inbound |
| Inbound ports | None opened on your network | 0 |
| Transport | Encrypted tunnel over port 443 | TLS 1.3 |
| Failure mode | Fail-closed — loss of tunnel ends sessions | Fail-closed |
| Firewall changes | No exceptions to request or maintain | 0 |
Your data stays in the EU. Encrypted at rest and in transit.
| Control | Detail | Value |
|---|---|---|
| Primary region | GCP europe-central2 (Warsaw) — primary and only | EU |
| Cross-region replication | None outside the EU | NONE |
| Credentials at rest | AES-256-GCM, keys stored and rotated separately | AES-256-GCM |
| Traffic in transit | TLS 1.3 for sessions; RDP, SSH and DB proxied through encrypted tunnels | TLS 1.3 |
| Session recordings | Object-level encryption in GCS (europe-central2) | Encrypted |
| Third-country transfers | GDPR/RODO Article 44 — none | NONE |
Where you stand on the NIS2 clock.
| Date | Milestone | Status |
|---|---|---|
| Oct 2024 | NIS2 transposition deadline for member states | Passed |
| Jan 2025 | NIS2 Directive effective across the EU | Effective |
| Oct 2025 | Annex I essential-entity registration deadline | Passed |
| Today | Enforcement is live — where you stand right now | Now |