Zero-knowledge security architecture
E2E
Thanks to end-to-end encryption, heylogin GmbH has no access to stored data
2FA
2-factor secure by default and
only decryptable via hardware
only decryptable via hardware
CRYPTO
Modern cryptographic algorithms
XSalsa20 + Poly1305 and Curve25519
XSalsa20 + Poly1305 and Curve25519
Strict separation between vaults and users
Stored data is encrypted in strictly separated vaults using the security chips of the respective user devices. This setup allows users to access their personal vault and authorized team vaults within an organization.
Additionally, all vaults are encrypted with the security chips of admins, enabling cryptographic recovery in case a device is lost or replaced. However, admins cannot access passwords stored in personal vaults.
All access - whether by admins or users - is end-to-end encrypted and requires the respective security chip for decryption. heylogin GmbH operates under a strict security architecture, ensuring that we have no access to your data.
Additionally, all vaults are encrypted with the security chips of admins, enabling cryptographic recovery in case a device is lost or replaced. However, admins cannot access passwords stored in personal vaults.
All access - whether by admins or users - is end-to-end encrypted and requires the respective security chip for decryption. heylogin GmbH operates under a strict security architecture, ensuring that we have no access to your data.
Hardware-based end-to-end encryption
1
Synchronisation of the encrypted vaults
All vaults associated with a user are automatically synchronized in the background. All devices - whether apps or browser extensions - stay connected to the cloud via a streaming connection, receiving vault updates instantly. The heylogin cloud functions solely as a storage service and has no ability to decrypt the vaults.
2
Unlocking the security chip
When a browser extension requests decryption, the associated device is notified. The security chip is then unlocked locally using a second factor, such as a fingerprint, face unlock, or PIN. Once unlocked, the security chip generates a temporary key, which is transmitted to the browser extension via an end-to-end encryption communication tunnel.
3
Temporary key decrypts the vaults
The browser extension uses the received temporary key to decrypt the synchronized vaults, allowing the user to log in to websites securely. Any changes made to the data are automatically synchronized across all devices.
The explanations on this page are simplified for clarity.
For in-depth details on cryptography and security protocols, please refer to our Security Whitepaper.
For in-depth details on cryptography and security protocols, please refer to our Security Whitepaper.
heylogin supports
Smartphone
Security Key
Touch ID / Windows Hello
Smartwatch
Locations
heylogin GmbH is based in Braunschweig. Our production system runs on Hetzner servers in Nuremberg, with a standby server in Falkenstein for rapid failover in emergencies. Independent backups are securely stored at IONOS, ensuring recovery in case of a complete failure at Hetzner.
The ISMS of heylogin GmbH is ISO 27001:2022 certified, and heylogin is fully GDPR-compliant, relying exclusively on European sub-processors.
The ISMS of heylogin GmbH is ISO 27001:2022 certified, and heylogin is fully GDPR-compliant, relying exclusively on European sub-processors.
.png)
heylogin Security Whitepaper
Thank you! Your submission has been received!
