Last updated: May 26, 2026
Please read carefully. By creating an account you agree to these terms. If in doubt, write to contato@taiva.com.br.
By creating an account on TAIVA Vault you declare that you have read, understood and fully accepted these Terms of Service and the Privacy Policy. If you do not agree with any clause, do not use the service. The service is operated by Rogério A. Santana, with an official channel at contato@taiva.com.br. The terms are governed by Brazilian law, in particular: General Personal Data Protection Law (LGPD, Law 13.709/2018), Internet Civil Framework (Law 12.965/2014), Consumer Defense Code (CDC, Law 8.078/1990) and Civil Code (Law 10.406/2002).
TAIVA Vault is a password and secrets manager with real PAKE authentication (OPAQUE-3DH, RFC 9497) and post-quantum hybrid encryption (ML-KEM-1024 NIST FIPS 203 category 5, AES-256-GCM). It allows you to: • Store credentials, 2FA TOTP codes, encrypted notes, attachments and scanned documents. • Generate passwords and codes via CSPRNG. • Optionally check passwords against public breach datasets (HIBP via our own proxy). • Configure native digital inheritance with a customizable Dead Man's Switch. • Use travel mode (hide sensitive vaults during border crossings). • Use the Firefox extension with autofill, federated authentication and copy-to-clipboard with 30s expiration. • Operate under 2-of-3 MPC threshold distributed across three physical locations (Brazil + Europe). • Verify a SHA-256 audit chain with daily Bitcoin anchoring via OpenTimestamps. • Access LGPD self-service: JSON export, account deletion, consent history. Technical details at /whitepaper. Change history at /changelog. The service is provided "as is", without warranty of uninterrupted operation, freedom from errors or fitness for any particular purpose.
To use the service you must provide a valid e-mail address under your control. Authentication combines: • Master password (only you know; the OPAQUE-3DH protocol guarantees it is never sent to the server in any usable form). • 6-digit OTP code sent to the registered e-mail (valid for 5 minutes). • PAKE proof at login: the server confirms you know the password without learning the password (RFC 9497). You are solely responsible for keeping your master password and your e-mail secure. If you lose your password without a configured recovery key or digital inheritance, the encrypted data becomes permanently inaccessible, including to the operator. Creating multiple accounts for the same person to bypass plan limits, the free trial, or circumvent a suspension for terms violation is prohibited.
You agree NOT to use the service to: • Store unlawful, fraudulent or defamatory content, or content that violates third-party rights. • Try to access other accounts, bypass authentication, or exploit vulnerabilities without explicit authorization from the operator (reporting channel described in section 9). • Subject the service to abnormal loads, automated scanning, denial-of-service attacks or quota abuse. • Create mass accounts via scripts or bots. • Distribute malware, phishing or any malicious software. • Resell the service to third parties without written authorization. • Use the service for any purpose that violates laws applicable in your domicile or in the operator's domicile. Violations may result in immediate account suspension, without prior notice, with operational logs preserved for up to 90 days for investigation purposes.
TAIVA Vault offers two paid subscription tiers, billed via Asaas: • Solo — R$ 49/month or R$ 490/year (annual = 2 months free). Single-tenant vault for individual professionals. Includes password vault, AEAd signing, digital inheritance, ZK CPF, biometrics and forensic audit log. • Professional — starting at R$ 79/month (Core / Plus / Completo plans). Adds multiple workspaces, multi-signer, ZK credential sharing and document templates. Limits vary per plan (50 / 100 / unlimited workspaces). Every new account starts with a 14-day free trial without a credit card. After the trial, payment method confirmation is required to continue. There is no permanent free plan. Lifetime subset (no recurring billing): owners and beta testers under a closed program. Lifetime access is granted manually by the operator and not sold. Payments via Asaas (Pix, credit card or boleto). Cancellation any time without penalty, with continued access until the end of the already-paid period. Limits may be adjusted without prior notice in case of identified abuse, always notifying the affected user and providing a window for regularization.
You are solely responsible for: • Maintaining your own backup of critical data. The service offers JSON export at any time, at no cost. • Protecting your master password, recovery e-mail and devices where the vault is accessed. • Verifying the integrity of any extension download (releases signed via Cosign plus Rekor transparency log; verification instructions in the repository's RELEASES.md). • Ensuring that your use of the service is legitimate and respects the laws applicable in your country. • Configuring digital inheritance or a recovery key if you want protection against permanent loss due to forgotten credentials. The service does not replace your own security audit nor additional practices such as multi-factor authentication on your e-mail and on the accounts of the services you store.
To the maximum extent permitted by Brazilian law, the service operator will NOT be liable for: • Loss of data due to forgotten credentials by the user (zero-knowledge principle inherent to the service design). • Temporary unavailability due to maintenance, infrastructure provider failure, fortuitous event or force majeure. • Unauthorized access resulting from compromise of the user's own device, e-mail, master password or environment. • Lost profits, indirect, consequential or punitive damages. In no event will the operator's liability exceed the amount paid by the user for the service in the 12 months prior to the event (R$ 0.00 during free trial or lifetime accounts granted at no cost). This limitation does not exclude liability for proven willful misconduct or bad faith by the operator, as provided in the Civil Code and in the CDC.
The operator may suspend or delete accounts that: • Violate these Terms of Service. • Show abusive, fraudulent or harmful behavior toward shared infrastructure. • Remain inactive for a period equal to or greater than 24 months, always with prior notice by e-mail and a 30-day window to export data. • Are subject to a substantiated court order. You may delete your account at any time from the vault dashboard, with permanent removal of data within up to 30 days. Encrypted operational logs may be retained for up to 90 days for security audit purposes, as detailed in the Privacy Policy section 9. In case of suspension due to violation, you have the right to: • Receive an e-mail communication with the reason for the decision. • Request a written review, with a response within 15 calendar days. • Export your data before final deletion, except in cases of a court order to the contrary.
Good-faith security research is encouraged. Disclosure policy: embargo until fix in production (generally 72h for CRIT, 1 week for HIGH). Public credit in the changelog after the fix, with your prior consent. Non-retaliation: good-faith research will not be grounds for legal action. Reporting channel: contato@taiva.com.br with [SECURITY] prefix. Initial response SLA within 48 business hours.
The source code of TAIVA Vault is proprietary to Rogério A. Santana. The "TAIVA Vault" brand and visual identity are also property of the operator. Open-source libraries used are listed at /licenses. The data you store is your property. The operator does not claim rights over the encrypted content of user vaults, nor over metadata that is technically impossible to read (cipherchunks). Public content generated by you in the context of the service (public-format bug reports, contributions, suggestions) may be cited by the operator in communications, always with your consent and credit as agreed.
These terms may be updated to reflect changes in the service, applicable law or security practices. The current version is always published at vault.taiva.com.br/terms with the date of the last update. Material changes are communicated by e-mail to users at least 30 days in advance. Continued use of the service after the effective date implies acceptance of the new terms. Version history of these terms is available on request to the DPO. Non-material changes (editorial corrections, clarifications without altering obligations) may be applied without prior notice, always noted in /changelog.
Questions, exercise of LGPD rights, security incident reports or legal requests should be directed to contato@taiva.com.br (use [SECURITY] prefix in the subject for vulnerabilities). Response within 15 calendar days for LGPD, 48 business hours for critical security, 15 business days for general cases. Amicable settlement attempts precede any legal action. If necessary, the competent jurisdiction is, at the consumer's choice, the consumer's domicile (CDC Art. 101, I) or the Central Court of the District of São Paulo/SP. For disputes between the operator and non-consumer users (commercial or corporate use), the elected jurisdiction is the District of São Paulo/SP.