Skip to main content
VaultPAM
00 How it works

how vaultpam works, by the numbers.

Five gates per session, five steps to onboard, one EU region, zero firewall changes. The same facts the animated diagrams told — flat, fast, and easy to verify.

01 At a glance

The whole product in six numbers.

1.1
5
gates

Every session passes five independent gates. All must open. Any one stops a breach.

1.2
5
steps

Operator onboarding — account to live session — in five steps, minutes not days.

1.3
0
firewall changes

The connector dials out only. No inbound ports, no firewall exceptions to request.

1.4
1
EU region

All data, recordings and vaults live in GCP europe-central2 (Warsaw). One region, no exits.

1.5
256
bit at rest

Credentials encrypted with AES-256-GCM at rest, behind TLS 1.3 in transit.

1.6
100%
sessions logged

Every privileged session recorded and written to a tamper-evident, hash-chained ledger.

02 The session pipeline

Five gates. All must open. Any one stops a breach.

01

Web application firewall

Gate 0 — WAF. Malformed and malicious traffic is dropped before it reaches the broker.

02

Multi-factor authentication

Gate 1 — MFA. Identity is proven with TOTP or FIDO2/WebAuthn before any target is named.

03

Role-based access control

Gate 2 — RBAC. The role decides which targets are even visible. No role, no path.

04

Credential injection

Gate 3 — Vault. Credentials are checked out just-in-time and injected at the protocol level — never shown to the user.

05

Session recording

Gate 4 — REC. The session is recorded end to end and signed into the audit chain.

03 Operator onboarding

Five steps, minutes not days.

01

Create account

An operator account is provisioned. No standing access is granted at this point.

02

Assign role

A role is attached. The role — not the person — defines the reachable targets.

03

Request access

The operator requests access to a specific target for a specific window.

04

Vault approves

The vault approves and checks out a time-limited, just-in-time credential.

05

Session starts

A recorded session opens. From create-account to live session takes under five minutes.

04 The connector

Outbound only. No firewall changes.

PropertyBehaviourValue
DirectionOutbound only — the connector dials homeNo inbound
Inbound portsNone opened on your network0
TransportEncrypted tunnel over port 443TLS 1.3
Failure modeFail-closed — loss of tunnel ends sessionsFail-closed
Firewall changesNo exceptions to request or maintain0
05 Residency & encryption

Your data stays in the EU. Encrypted at rest and in transit.

ControlDetailValue
Primary regionGCP europe-central2 (Warsaw) — primary and onlyEU
Cross-region replicationNone outside the EUNONE
Credentials at restAES-256-GCM, keys stored and rotated separatelyAES-256-GCM
Traffic in transitTLS 1.3 for sessions; RDP, SSH and DB proxied through encrypted tunnelsTLS 1.3
Session recordingsObject-level encryption in GCS (europe-central2)Encrypted
Third-country transfersGDPR/RODO Article 44 — noneNONE
06 NIS2 timeline

Where you stand on the NIS2 clock.

DateMilestoneStatus
Oct 2024NIS2 transposition deadline for member statesPassed
Jan 2025NIS2 Directive effective across the EUEffective
Oct 2025Annex I essential-entity registration deadlinePassed
TodayEnforcement is live — where you stand right nowNow