Trust & Security
Security you can put in front of an auditor.
PassVision is built for the most scrutinized environments. Here is exactly how we handle deployment, data, and authorization.
Deployment & data residency
Your infrastructure, never ours.
PassVision is self-hosted on-prem or in your own cloud, never multi-tenant SaaS. Active Directory Protection and the breached-password database can run fully air-gapped, with high availability supported. Your credential data stays inside your perimeter.
On-prem or your own cloud
Self-hosted in your environment, never multi-tenant SaaS. High availability supported.
Air-gapped Active Directory Protection + breach DB
Real-time enforcement and the breached-password database can run entirely offline.
Data stays in your perimeter
Your credential data never crosses into a vendor tenant; residency stays yours.
Data handling
Irreversible by design.
How PassVision treats the data it does touch: narrowly, and without plaintext on the screening path.
On the Active Directory screening path, checks run on irreversible fingerprints; no plaintext password leaves your environment.
Encryption in transit and at rest across the platform.
Role-based access and LDAP integration.
The free auditor is read-only and leaves no agent behind.
Authorized verification · Web Credential Verification
How we keep live verification safe and defensible.
Actively verifying a leaked credential means attempting a real login, so we constrain it tightly, and put every constraint in writing.
Five constraints on every engagement.
Your applications only. Targets are confined to domains you own and explicitly authorize.
Governed by paperwork. Every engagement is bound by a signed contract, a scope document, and a written authorization, not a checkbox.
No evasion. CAPTCHA and anti-bot defenses are detected, never solved or bypassed; if a site detects us, we stop and report.
Second factor respected. A 2FA/OTP challenge is treated as “password accepted”; we never attempt to defeat it.
Connectivity, by design. Because it reaches live targets, Web Credential Verification requires outbound access and is not represented as an air-gapped function.
Compliance alignment
Built to support your obligations.
PassVision's policy engine is aligned with NIST 800-63B, and its self-hosted, no-data-egress design supports KVKK and GDPR data-handling requirements and produces audit-ready evidence for regulators such as BDDK. We state alignment and support only; we don't claim formal certifications we don't hold.
Aligned
Blocks known-compromised passwords, drops arbitrary composition rules, and enforces context-aware policy, reported as audit-ready evidence.
Supported
Self-hosted with no data egress supports data-residency and data-handling requirements under KVKK and GDPR.
Audit-ready evidence
Verified resets and SIEM-ready logs produce the evidence regulators such as BDDK expect.
Security contact
Reporting a security concern.
For security inquiries and responsible disclosure, contact [email protected].
Preparing for a security review? Bring this page into your assessment, and reach us at [email protected] for documentation.
Common questions
The questions auditors ask first.
Does PassVision store or see our passwords?
No. On the Active Directory screening path, PassVision checks passwords as irreversible fingerprints; no plaintext password is stored, and none leaves your environment. Because PassVision is self-hosted, your credential data stays inside your perimeter.
Can PassVision run on-premises or air-gapped?
Yes. PassVision is self-hosted on-premises or in your own cloud, never multi-tenant SaaS. Active Directory Protection and the breached-password database can run fully air-gapped. Web Credential Verification reaches live external targets, so it requires outbound connectivity.
Is it legal and safe to actively log in with leaked credentials?
Yes, when scoped and authorized. PassVision confines live verification to applications the customer owns and authorizes, governed by a signed contract, scope document, and written authorization. It never bypasses CAPTCHA or anti-bot defenses and never attempts to defeat a second factor.
Bring our security model into your review.
We built PassVision to pass scrutiny. Put it in front of your auditors and see for yourself.