Skip to main content
GhostStack
Menu
Navigation

resources

Compliance

Compliance overview

Vault is designed to support organizations operating under regulatory frameworks that require strong access controls, encryption, and audit trails for sensitive data. This page describes how Vault’s architecture maps to common compliance requirements.

SOC 2

SOC 2 requires controls around security, availability, processing integrity, confidentiality, and privacy. Vault addresses the security and confidentiality criteria directly:

Access controls — Vault enforces role-based access with four privilege levels. Credential-level ACLs restrict access to specific identities. All access requires authentication with scoped tokens.

Encryption — All credential values are encrypted at rest with AES-256-GCM and in transit with TLS 1.3. Encryption keys are managed in an HSM or cloud KMS.

Audit logging — Every credential access, policy change, and administrative action is recorded in an immutable audit log with timestamps, identities, and event details.

Least privilege — Lease-based access ensures credentials are only available for defined time windows. Scoped tokens limit agent access to specific credentials.

GDPR

If your Vault tenant stores credentials that could be considered personal data (such as API tokens tied to individual accounts), GDPR requirements apply:

Data minimization — Vault stores only the credential value and metadata you provide. No additional personal data is collected.

Right to erasure — Credentials can be deleted from a tenant. When a credential is deleted, the encrypted value is removed and cannot be recovered. Audit log entries referencing the credential are retained per the retention schedule but do not contain the credential value.

Data processing records — The audit log serves as a record of processing activities for credential data. It documents who accessed what and when.

Cross-border transfers — Vault supports data residency configuration. Enterprise customers can specify the geographic region where their tenant’s data is stored.

HIPAA

Organizations handling protected health information (PHI) may use Vault to manage credentials for systems that process PHI. Vault supports HIPAA compliance through:

Access controls — Role-based access and credential-level ACLs satisfy the requirement for access management. Only authorized individuals and agents can access specific credentials.

Audit controls — The immutable audit log records all credential access, satisfying the requirement for audit trail maintenance. Audit entries include the identity, timestamp, credential name, and purpose.

Transmission security — TLS 1.3 encryption for all API communication satisfies the requirement for protecting ePHI in transit.

Encryption — AES-256-GCM encryption for credential values at rest satisfies the requirement for protecting ePHI at rest, when the credentials themselves are or provide access to ePHI.

A Business Associate Agreement (BAA) is available for Enterprise plan customers.

Data retention

Vault’s data retention policies are designed to balance compliance requirements with privacy:

Credential values — Retained while the credential is in the active or rotated state. Deleted when the credential is revoked or deleted by a tenant admin. Previous values from rotation are retained until all leases referencing them have expired.

Audit log entries — Retained per the tenant’s plan (30 days for Free, 1 year for Pro, 2 years for Team, custom for Enterprise). Audit entries do not contain credential values. After the retention period, entries are archived and can be exported on request.

Tenant data — When a tenant is deleted, all credential ciphertext, wrapped DEKs, and KEKs are destroyed. Audit log entries are retained per the compliance retention schedule with the tenant ID as the only identifier.

Compliance exports

Vault provides tools for generating compliance reports and exporting audit data:

# Export audit log for a compliance review
npx @ghoststack/vault-cli audit-log export \
  --tenant my-org \
  --token $VAULT_TOKEN \
  --since 2026-01-01 \
  --until 2026-03-31 \
  --format json \
  --output q1-audit.json

# Generate an access summary report
npx @ghoststack/vault-cli compliance report \
  --tenant my-org \
  --token $VAULT_TOKEN \
  --type access-summary \
  --period 2026-Q1

The access summary report lists all credentials, who accessed them, how many leases were created, and the average lease duration. This is useful for periodic access reviews required by many frameworks.

Enterprise compliance features

Enterprise plan customers receive additional compliance support:

  • Custom audit log retention periods
  • Data residency controls (choose storage region)
  • Dedicated infrastructure deployment option
  • BAA for HIPAA covered entities
  • Annual penetration test results under NDA
  • SOC 2 Type II report access

Contact sales@ghoststack.dev for details on Enterprise compliance features.