Every credential and sensitive piece of data your hire touches goes through the Vault — never through email, Slack or DM.
Vault fundamentals
- End-to-end encrypted — keys never leave your workspace unencrypted
- Role-based access — share a credential with one person, one team, or a role (e.g. "all EAs")
- Per-item share policies — view-only, auto-fill-only, or full access
- Audit log — every access, share and revocation is logged with timestamp and IP
What lives in the Vault
- API keys and service credentials
- Corporate card details (CVV is never stored alongside)
- Wire instructions and banking details
- Confidential contracts and NDAs
What doesn't
- Personal passwords your hire uses (they go in their own password manager)
- Anything your hire shouldn't see — just don't share it