Calm vaults. Loud defences.

Every capsule is encrypted with AES-256 before it touches persistent storage. Encryption keys live in an HSM-backed vault, separate from the data itself, and are rotated on a strict schedule. Even our own engineers cannot read raw capsule contents.

Every internal request is authenticated and authorised independently — no implicit trust between services. Production access requires hardware-key authentication, is time-boxed, and is fully audited.

Accounts support strong passwords, magic links and OAuth. Session tokens are short-lived and rotated on every refresh. Suspicious sign-in patterns trigger automated review and email alerts.

WAF rules and rate limiting at the edge; isolated database tenants with row-level security; daily integrity checks on stored media; quarterly third-party penetration tests; and a private disclosure channel at support@aeevox.com for responsible reporters.