Security

How CredClock keeps your data safe

Vaultless architecture

CredClock is fundamentally different from password managers. We never store your actual passwords, API keys, certificates, or any secret values. We only store labels (e.g., "AWS Prod API Key"), credential types, expiration dates, and optional notes. There are no secrets to steal.

What we store

• Your email address and a securely hashed password (for your CredClock account)
• Credential labels, types, and expiration dates
• Optional notes (you control what goes here — never put secrets in notes)
• Reminder preferences and history logs

What we don't store

• Actual passwords or passphrases
• API keys or tokens
• SSL certificate private keys
• SSH private keys
• Any secret or sensitive credential values

Infrastructure security

• All connections encrypted with TLS/SSL (HTTPS enforced)
• Passwords hashed with industry-standard algorithms (Werkzeug/PBKDF2)
• CSRF protection on all forms
• Rate limiting on authentication endpoints
• Security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy
• Session cookies are HTTP-only and SameSite

Reporting vulnerabilities

If you discover a security issue, please email support@credclock.com immediately. We take all reports seriously.