Veqtrx
Security

Security you can verify.

We publish the code, the architecture, and the threat model. The zero-knowledge claim is a property of the published code — not marketing.

View crypto on GitHub →Read whitepaper →Contact security →

Zero-knowledge in one paragraph

Veqtrx is built around a single technical commitment: the server cannot read customer data, even with full database access. Customer financial data is encrypted in the browser before any HTTP request leaves the user's machine. The encryption key is derived from the user's password in-browser via PBKDF2-SHA256 with 600,000 iterations — that key never crosses the network. There is no master key, no admin override, no KMS unlock. If every Veqtrx employee, every server, and every backup were compromised simultaneously, customer financial data would remain ciphertext.

The actual encryption code is open-source: github.com/vaibhavkiyer24/veqtrx-crypto-reference. Diff it against what the browser bundle ships in production — they're identical modulo minification. Run the included tests to verify the claims yourself.

What we can — and cannot — see

What the server CAN see

  • Your email (login + share)
  • Household composition you declare
  • Timestamps of assessment activity
  • Ciphertext blobs (opaque)
  • Wrapped DEKs (opaque)

What the server CANNOT see

  • Your password
  • The KEK derived from your password
  • The DEK that decrypts your budget
  • Your decrypted financial transactions
  • Your assessment outcome / breakdown
  • Agents' RSA private keys
  • Creditor share tokens (URL-fragment-only)

Audit trail

Every access is logged with the principal, endpoint, timestamp, and reference ID. Partners can request a CSV export of all events scoped to their partner_id:

EventLoggedRetention
Customer loginTimestamp, IP country, user agent90 days
Budget saveCustomer ID, blob hash90 days
Agent viewAgent ID, ref ID365 days
Creditor viewIP country, ref ID365 days
Admin actionAdmin email, endpoint, body730 days
GDPR erasure (Vanish)Customer ID, what was scrubbedIndefinite

Compliance roadmap

StandardTargetStatus
UK GDPRLaunch✅ Compliant
ICO registrationQ2 2026In progress
Cyber EssentialsQ3 2026Self-assessment phase
Cyber Essentials PlusQ4 2026Planned
Independent pen testQ3 2026Vendor shortlisting
SOC 2 Type IQ1 2027Roadmap
Independent crypto reviewQ2 2027Roadmap
SOC 2 Type IIQ3 2027Roadmap

Security FAQ — top questions

How do we know you can't read our data?
Three independent ways: (1) Read the code — the actual encryption code is public on GitHub under MIT. (2) Run the tests — the repo includes PROOF tests demonstrating each ZK claim. (3) Subpoena us — we'd produce ciphertext and a signed declaration that we have no key material capable of decrypting it. The architecture makes this verifiable.
What if a Veqtrx employee tries to access my data?
Technically impossible without your password. Engineers, sysadmins, and support staff have no decryption path. There is no master key, no admin override, no break-glass procedure. The internal admin dashboard shows metadata only — email, timestamp, blob hash — not content. Every admin action is logged with the admin's email + endpoint + timestamp.
What about government requests / subpoenas?
We comply with all lawful UK requests. For metadata (existence of account, last-login timestamp, IP country) — we can produce these. For plaintext financial data — we cannot produce this even with a court order, because we don't have the keys. We would produce the ciphertext + salt + iteration count, plus a signed declaration that further decryption requires the customer's password.
What encryption algorithms do you use?
Password → KEK: PBKDF2-SHA256, 600,000 iterations (OWASP 2026 recommendation). KEK / DEK / share-key: AES-GCM 256-bit (NIST FIPS 197 + 800-38D). Agent asymmetric: RSA-OAEP 2048-bit + SHA-256 (NIST FIPS 186-5). Salt: 32 random bytes from crypto.getRandomValues. All via the Web Crypto API — no third-party crypto libraries.
What about SOC 2?
Not certified yet. SOC 2 Type I target Q1 2027; Type II target Q3 2027 (after the 6-month observation window). Trigger is the first paying B2B partner contract requiring it. If SOC 2 Type I is a procurement gate for your contract, mention it in the RFP and we can accelerate.
Can we pen-test your platform?
Yes, with prior notice. We provide staging-environment credentials within 2 business days, synthetic test data, relaxed rate limits for the window, and a nominated Veqtrx contact during the test. Email contact@veqtrx.com with your test window and the firm you're using.

Full FAQ — 28 questions covering implementation, audit trail, compliance, pen testing, operations, and contracting. Available on request via contact@veqtrx.com.

Security whitepaper

Full architecture, threat model, key management spec, audit trail, and compliance roadmap — in one document. Intended for bank / lender / regulator due-diligence reviews.

Read whitepaper →Open in browser · ⌘P → Save as PDF to download

Verify the crypto yourself

The encryption code that runs in every Veqtrx user's browser is published under MIT licence. Read it. Diff it against the production bundle. Run the included tests.

View on GitHub →

One file, ~350 lines, no third-party crypto libraries. Audit surface is the Web Crypto API.

Pen testing and responsible disclosure

We welcome independent security review. We provide:

  • Dedicated staging environment with full feature parity
  • Synthetic test data — no real customers affected
  • Rate limits relaxed for the test window
  • A nominated contact at Veqtrx during the engagement

Email contact@veqtrx.com with your test window and the firm you're using.

For confirmed vulnerabilities we acknowledge within 24 hours and patch on a severity-driven timeline. No paid bounty programme yet; public credit on request.