Kaizen Vaultv0.9-beta

01A PASSWORD MANAGER — ANDROID

A vaultwe can’topen.

Your secrets are sealed on your phone with keys derived from a PIN that never leaves the device. Our servers store envelopes and salts. Not plaintext. Not your master key. Not anything we could turn over.

Read the architectureRequest beta access
  • Hardware-backed
  • End-to-end encrypted
  • On-device only
  • Zero-knowledge
  • Closed beta
02 · AXIOMS
  1. I.

    The server must notbe able to read a single vault item, ever — including under subpoena, breach, misconfiguration, or a malicious operator.

  2. II.

    All decryption happens on your phone. Your PIN, master key, per-item keys, and TOTP seeds never travel.

  3. III.

    We ship zero analytics, crash reporters, attribution kits, or third-party SDKs. The release APK contains no telemetry surface at all.

  4. IV.

    Cryptography is boring on purpose. We use libsodium, Argon2id, and the Android Keystore the way their authors intended — no invented primitives, no clever twists.

03 · ARCHITECTURE

A vault in layers.

Your PIN opens a wrapping key. The wrapping key opens the vault key. The vault key opens per-item keys. Each layer is independent and revocable. Every step happens on your phone.

Even our own admins can’t open your vault — we don’t hold a key they could use. Recovery is via a sealed handoff to a recipient you pick, gated by your own consent.

04 · STANDARDS WE TRUST

Boring, on purpose.

We use well-reviewed building blocks the way their authors intended. No invented primitives, no clever twists. The interesting work is in the trust model, not the crypto soup.

05 · THREAT MODEL

What we defend against. And what we don’t.

We’d rather be honest about the edges than market a perfect shield. Here’s the line we drew.

Defended

  • Full server compromise. Even with root on our backend and database, an attacker cannot read your items.
  • Database leak. Dump the whole table — there is no plaintext to find. What sits in our database cannot be opened without keys that only live on your phone.
  • Network interception. The app refuses traffic to anything that is not the legitimate API. A man-in-the-middle gets nothing usable.
  • Lost or stolen device. PIN attempts are throttled in hardware; biometric retries fall back to the OS lockout policy. Repeated guesses lock the vault, not just the screen.
  • Stolen session token. Captured credentials cannot be replayed elsewhere. Each request is tied to the device that made it.
  • Malicious admin. We cannot hand over your vault, because we never had a key to it.

Out of scope

  • Compromised phone OS. If a kernel-level rootkit owns Android, no userspace app can defend itself.
  • Keylogger on your device. A trojan that records the PIN as you type it bypasses every cryptographic guarantee we offer.
  • Shoulder surfing. If a person watches you type your PIN, that is a meatspace problem.
  • Five-dollar wrench attack. If you are coerced to unlock the vault, the math is not on our side.
  • Forgotten PIN with no recovery contact. We can’t reset it. That’s the price of zero-knowledge.
06 · TELEMETRY

ZERO analytics.
ZERO crash reporters.
ZERO attribution kits.
ZERO third-party SDKs.

Grep the release APK. You will not find Crashlytics, Sentry, Mixpanel, Amplitude, Adjust, or any of their cousins. The only network destinations the app talks to are our own API and the Play Integrity verifier — both signed and pinned.

07 · ACCESS

Closed beta. By invitation.

We are not in the Play Store yet. We are signing up testers slowly, one device class at a time, until the threat model holds up under daily use. Drop your email and we will open a slot when we can carry one more.

  • → Android 10 and up, Play Services present
  • → Real device only — emulators rejected
  • → You agree to file a single weekly report
  • → No NDA — bring your findings public if you like
FORM // 07.2

Goes to kaizenstudio1926@gmail.com. We do not store it anywhere else.