Skip to content

Trust & Security

Security you can put in front of an auditor.

PassVision is built for the most scrutinized environments. Here is exactly how we handle deployment, data, and authorization.

Request a Demo Contact Us
SELF-HOSTED, NEVER SAAS·IRREVERSIBLE FINGERPRINTS·AIR-GAP SUPPORTED·AUTHORIZED BY CONTRACT

Deployment & data residency

Your infrastructure, never ours.

PassVision is self-hosted on-prem or in your own cloud, never multi-tenant SaaS. Active Directory Protection and the breached-password database can run fully air-gapped, with high availability supported. Your credential data stays inside your perimeter.

On-prem or your own cloud

Self-hosted in your environment, never multi-tenant SaaS. High availability supported.

Air-gapped Active Directory Protection + breach DB

Real-time enforcement and the breached-password database can run entirely offline.

Data stays in your perimeter

Your credential data never crosses into a vendor tenant; residency stays yours.

YOUR ENVIRONMENT · NO DATA EGRESS
ACTIVE DIRECTORY PROTECTION
AIR-GAP CAPABLE
CONTROLLER
POLICY · ORCHESTRATION
BREACH DATABASE
AIR-GAP CAPABLE
WEB CREDENTIAL VERIFICATION AUTHORIZED TARGETS ONLY OUTBOUND, BY AUTHORIZATION

Data handling

Irreversible by design.

How PassVision treats the data it does touch: narrowly, and without plaintext on the screening path.

NO PLAINTEXT ON THE AD PATH

On the Active Directory screening path, checks run on irreversible fingerprints; no plaintext password leaves your environment.

ENCRYPTION

Encryption in transit and at rest across the platform.

ACCESS CONTROL

Role-based access and LDAP integration.

MINIMAL FOOTPRINT

The free auditor is read-only and leaves no agent behind.

Authorized verification · Web Credential Verification

How we keep live verification safe and defensible.

Actively verifying a leaked credential means attempting a real login, so we constrain it tightly, and put every constraint in writing.

Five constraints on every engagement.

01

Your applications only. Targets are confined to domains you own and explicitly authorize.

02

Governed by paperwork. Every engagement is bound by a signed contract, a scope document, and a written authorization, not a checkbox.

03

No evasion. CAPTCHA and anti-bot defenses are detected, never solved or bypassed; if a site detects us, we stop and report.

04

Second factor respected. A 2FA/OTP challenge is treated as “password accepted”; we never attempt to defeat it.

05

Connectivity, by design. Because it reaches live targets, Web Credential Verification requires outbound access and is not represented as an air-gapped function.

The authorization chain
01SIGNED CONTRACT
02SCOPE DOCUMENT
03WRITTEN AUTHORIZATION
04VERIFY · OWNED DOMAINS ONLY

Compliance alignment

Built to support your obligations.

PassVision's policy engine is aligned with NIST 800-63B, and its self-hosted, no-data-egress design supports KVKK and GDPR data-handling requirements and produces audit-ready evidence for regulators such as BDDK. We state alignment and support only; we don't claim formal certifications we don't hold.

NIST 800-63B

Aligned

Blocks known-compromised passwords, drops arbitrary composition rules, and enforces context-aware policy, reported as audit-ready evidence.

KVKK / GDPR

Supported

Self-hosted with no data egress supports data-residency and data-handling requirements under KVKK and GDPR.

BDDK

Audit-ready evidence

Verified resets and SIEM-ready logs produce the evidence regulators such as BDDK expect.

Security contact

Reporting a security concern.

For security inquiries and responsible disclosure, contact [email protected].

Preparing for a security review? Bring this page into your assessment, and reach us at [email protected] for documentation.

Common questions

The questions auditors ask first.

Does PassVision store or see our passwords?

No. On the Active Directory screening path, PassVision checks passwords as irreversible fingerprints; no plaintext password is stored, and none leaves your environment. Because PassVision is self-hosted, your credential data stays inside your perimeter.

Can PassVision run on-premises or air-gapped?

Yes. PassVision is self-hosted on-premises or in your own cloud, never multi-tenant SaaS. Active Directory Protection and the breached-password database can run fully air-gapped. Web Credential Verification reaches live external targets, so it requires outbound connectivity.

Is it legal and safe to actively log in with leaked credentials?

Yes, when scoped and authorized. PassVision confines live verification to applications the customer owns and authorizes, governed by a signed contract, scope document, and written authorization. It never bypasses CAPTCHA or anti-bot defenses and never attempts to defeat a second factor.

See all frequently asked questions →

Bring our security model into your review.

We built PassVision to pass scrutiny. Put it in front of your auditors and see for yourself.

Request a Demo Contact Us