ScoopVault
Back to Home

Security Disclosure

Last Updated: May 12, 2026

Our commitment to security is absolute. We believe in transparency regarding our security implementation so that security researchers and users can trust the integrity of Scoop Vault.

AES-256 Encryption

All sensitive data stored within Scoop Vault is encrypted using the Advanced Encryption Standard (AES) with a 256-bit key. AES-256 is the first and only publicly accessible cipher approved by the US National Security Agency (NSA) for top-secret information.

Key Derivation

Your 256-bit encryption key is securely derived from your Master Password using PBKDF2 (Password-Based Key Derivation Function 2) with a high iteration count and a unique, randomly generated salt. This significantly slows down offline dictionary and brute-force attacks.

No Plaintext Storage

Your Master Password and the derived encryption key are never stored on the device's persistent storage. The key exists only in volatile memory (RAM) while the vault is unlocked and is explicitly wiped from memory when the vault is locked.

Offline Architecture

The most secure data is data that cannot be accessed remotely. Scoop Vault operates entirely offline. It does not request the `INTERNET` permission in Android or iOS. This architectural decision mathematically eliminates remote network attacks, man-in-the-middle attacks, and server breaches.

Biometric Security

When biometric unlock (fingerprint or face) is enabled, the encryption key is stored securely within the device's Trusted Execution Environment (TEE) or Secure Enclave. It is only released back to the app upon successful biometric authentication validated by the OS.

Export Encryption

When you create a backup export, the resulting file is encrypted using the same AES-256 standard and your current Master Password. This ensures your backups are just as secure as the live database on your device.

Vulnerability Reporting

If you are a security researcher and believe you have found a vulnerability in Scoop Vault, please responsibly disclose it to us immediately at security@scooplabstech.com. We take all reports seriously and will investigate them promptly.