Last updated: May 18, 2026
This policy describes, in direct language, how TAIVA Vault handles your data. In case of conflict between this page and the applicable law (Brazilian LGPD, Law 13.709/2018), the law prevails.
TAIVA Vault is operated by Rogério A. Santana, with an official contact channel at contato@taiva.com.br and a dedicated data protection channel at contato@taiva.com.br. The infrastructure is distributed across three independent physical locations in Brazil + Europe. This distribution is part of the security design, not an operational preference, and is described in the technical whitepaper.
TAIVA Vault operates under an end-to-end zero-knowledge principle: no key in usable form ever transits the server. Authentication uses the OPAQUE-3DH protocol (RFC 9497), a PAKE in which the server never learns your master password nor any usable derived form of it. The password remains exclusively in your browser. On top of the material produced by OPAQUE on the client, a post-quantum hybrid cipher via ML-KEM-1024 (NIST FIPS 203 category 5) is applied, forming the protection key for the Data Encryption Key (DEK). The DEK, which encrypts your secrets with AES-256-GCM, exists only in your browser memory during the active session. The server stores only opaque cipherchunks, unrecoverable without your password. If you lose your master password and have not configured a recovery key or digital inheritance, the data becomes permanently inaccessible, including to the operator.
We operate under the principle of minimization (Article 6, III, LGPD). We collect only: • E-mail address: used as account identifier, OTP login delivery and security notifications. You can change it at any time. • Encrypted form of your sensitive secrets: passwords, note content, TOTP secrets, all encrypted client-side with AES-256-GCM. The server stores only opaque blobs for these fields. • Vault metadata (explicit trade-off): credential URL/site, username/email, TOTP issuer, category, travel-safe and favorite flags stay in plaintext on the server. This enables search, sorting and filtering (travel-mode) without prior unwrapping. The server knows which services you use, but not the passwords. Trade-off documented in whitepaper §3.2.1. • Operational logs: /24-masked IP address, login date and time, device type (normalized user-agent), authentication attempts. Used for abuse detection, rate-limiting and incident investigation. Retained for 90 days, then purged (with integrity gate via OpenTimestamps Bitcoin anchor, see whitepaper §7). What we do NOT collect: full name, government ID, phone number, physical address, biometrics, precise geolocation, browsing history outside the extension, address book contacts, photos.
Layered defense: • OPAQUE-3DH authentication (RFC 9497) plus post-quantum hybrid cipher via ML-KEM-1024 (NIST FIPS 203 category 5). The user password is never seen by the server. • 2-of-3 MPC threshold (Multi-Party Computation): the main key is split via Shamir Secret Sharing across three nodes in independent jurisdictions in Brazil + Europe. Compromising a single server does not allow key reconstruction. Reconstruction happens transiently in your browser during a successful login. • mTLS between nodes (client and server authenticated with internal certificates, internally issued CA renewed every 2 years). • SHA-256 audit chain with daily anchoring to Bitcoin via OpenTimestamps: the operation log forms an immutable hash chain, with its root published on a public blockchain (after Bitcoin confirmation, around 24h to 48h). Any retroactive tampering would be detected by any auditor. • Master secrets isolated in OpenBao (HSM-light) with Shamir 3-of-5 unseal. Application servers hold only AppRole tokens with 24h TTL, rotated every 6 hours by a systemd timer. Full technical details at vault.taiva.com.br/whitepaper.
We do not sell, rent or share your personal data with third parties for commercial, marketing or profiling purposes. The only exceptions: • Infrastructure providers required for operation: server providers in Brazil + Europe (specific names not published, see technical whitepaper) and a transactional e-mail service (Resend) for OTP delivery and notifications. These receive only the strict minimum (recipient e-mail plus message content; no access to encrypted vault). • When required by law or a substantiated court order. We commit to notifying you when legally permitted. • In case of corporate transfer or acquisition, successors assume the same obligations under this policy. You would be notified 30 days in advance.
The "Health" tab in the vault lets you check whether your passwords appear in public breach datasets. We use the Have I Been Pwned (HIBP) API with k-anonymity, routed through our own proxy to preserve your privacy: • Your plaintext password never leaves the browser. • We compute the SHA-1 hash locally and send only the first 5 characters to the TAIVA server. • The TAIVA server queries HIBP and returns the list of encrypted suffixes. Only your browser performs the final comparison. • Your IP address never reaches HIBP. The IP seen by their servers is TAIVA's. Results are cached on our server for 24h to reduce upstream calls. Optional check, run only when you trigger it. A positive detection can trigger an e-mail alert (you control this in the Health tab).
The TAIVA Vault extension (Firefox AMO) requires: • activeTab: read the URL of the active tab only when you open the popup, to suggest relevant credentials. URLs are not transmitted to the server nor stored in history. • clipboardWrite: only for the "copy password" function. The password is automatically cleared from the clipboard after 30 seconds (executed in the background). • storage: store encrypted local settings (theme, shortcuts, trusted device handles). • scripting (host_permissions): only when you trigger autofill, and only on the current domain. The extension communicates exclusively with vault.taiva.com.br over HTTPS, with no external CDN (local crypto bundle in /crypto-vendor/). Code is under review by the official store (Mozilla AMO). Builds are reproducible and signed via Sigstore (Cosign plus Rekor transparency log).
In compliance with Article 18 LGPD, you have the right to: • Access all data we hold about you (Art. 18, II). • Correct inaccurate data (Art. 18, III). • Anonymize, block or eliminate unnecessary data (Art. 18, IV). • Portability in a structured format (open JSON, Art. 18, V). • Eliminate data processed with consent (Art. 18, VI). • Revoke consent granularly (analytics, marketing, etc). • Know with whom we share your data (Art. 18, VII). We provide a self-service portal in the vault dashboard: 1-click JSON export (immediate download), account deletion with e-mail confirmation within 24h and a 30-day grace period for second thoughts, and an auditable consent history. To engage the human channel, contact our Data Protection Officer (DPO) at vault.taiva.com.br/dpo or directly at contato@taiva.com.br. Response window: 15 calendar days (Art. 19 §1 LGPD).
Your data is retained while your account is active. After account deletion: • Vault data (encrypted): deleted immediately from the primary database, and from backups in the next rotation (up to 30 days). • Operational logs with IP/timestamp: retained for up to 90 days for security audit purposes, then automatically purged (with integrity gate via Bitcoin anchor). • Accounts inactive for 24 months receive an e-mail warning 30 days in advance before deletion, with a full window to export data. Encrypted Restic backups with separate keys (zero-knowledge). Even the operator cannot read backup content without the user's password.
The vault uses a single HTTP-Only session cookie with SameSite=Strict, only to keep you authenticated during the session. There are no tracking cookies, advertising, third-party analytics, device fingerprinting or retargeting. In your browser, we store the following in IndexedDB: encrypted vault cipherchunks (only during the active session, discarded on logout), UI preferences (theme, ordering). Everything clears on logout or when switching devices. If product analytics are used (Sentry for errors, with rigorous PII scrubbing), you are asked to consent before the first collection and can revoke at any time from the dashboard.
General service questions: contato@taiva.com.br. LGPD rights requests, security incident reports, legal requisitions: contato@taiva.com.br or vault.taiva.com.br/dpo. Response within 15 calendar days. Security vulnerability reporting: contato@taiva.com.br with [SECURITY] prefix in the subject. Initial response SLA within 48 business hours. Non-retaliation policy for good-faith research. Details at /disclosure. This policy may be updated to reflect changes in the service or in applicable law. Material changes are communicated by e-mail 30 days in advance. Version history published at /changelog.