Security

Your family's data is a sacred trust.

Unyt is built so the most sensitive parts of your vault stay readable only to you and the people you explicitly trust. Here is exactly how we do that — and what we deliberately do not do.

The four pillars

encrypted

Client-side encryption for sensitive credentials

Vault entries (passwords, secret notes, master credentials) are encrypted on your device with a key derived from your master password before anything sensitive reaches our servers. Even if our database were breached, an attacker would see ciphertext — not your secrets.

key

Master password is yours alone

Your master password is never transmitted to or stored on our servers. We store only a wrapped data-encryption key (DEK) and the KDF parameters needed to re-derive your key when you sign in. If you forget the master password, we cannot recover the encrypted contents — by design.

verified_user

Account is the key

Your information only appears when you are signed in. In family mode, only people you have invited — and who belong to your family in the app — can see what you choose to share. Visibility is private, family, or shared, with explicit access levels.

visibility

Granular Me / Family / Shared visibility

Every account, policy, document, and contact carries a visibility flag. You decide on each item whether it is private to you, visible to your family space, or shared with specific members. Collaboration without giving up governance.

Practices

  • shield

    Transport security

    All traffic is served over HTTPS with HSTS. We do not accept downgrade.

  • storage

    Data residency

    Production data is stored in MongoDB Atlas in the AP-South (Mumbai) region, in line with Indian data-localisation expectations.

  • no_accounts

    No data sales, no model training

    We do not sell your data. We do not use your account contents, documents, or vault entries to train AI models. Document parsing happens in scoped, ephemeral pipelines you trigger explicitly.

  • history

    Auth and session controls

    Sessions expire on inactivity. Sensitive actions (password vault unlock, family invitation acceptance, account deletion) require re-authentication.

  • science

    Independent audits

    We are working toward third-party security certification. We will publish dated attestations here as they are completed — we will not list certifications we do not yet hold.

  • mail

    Responsible disclosure

    Found a vulnerability? Email security@unyt.money. Our security.txt is published at /.well-known/security.txt. We acknowledge reports within two business days.

What we will not do

  • · We will not sell your data — to anyone, ever.
  • · We will not train AI models on your account contents, documents, or vault.
  • · We will not show third-party advertising inside Unyt.
  • · We will not require you to share more than you want to with your family.
  • · We will not claim certifications we do not hold.

Report a security issue

We take responsible disclosure seriously. Reach us at security@unyt.money — we acknowledge reports within two business days.

Try Unyt free