Logins are encrypted in strictly separated vaults with the security chips of the respective user devices. Encrypted vaults are automatically synchronized. The heylogin cloud serves as a simple data storage and has no means of decrypting the vaults. Only when an a security chip is unlocked, a temporary key is generated and transmitted over an end-to-end encrypted channel to the respective browser. This temporary key is used by the browser extension to decrypt passwords and other sensitive data to be used for logging end-users into websites.

Even if an attacker gains access to our cloud servers, your login data remains secure. heylogin is built with end-to-end encryption, meaning your usernames and passwords are never stored or processed in plaintext on our servers - they're only ever decryptable on your personal devices.

The decryption keys are securely stored in the hardware security modules of your devices (e.g. Secure Enclave or TPM). To access your data, an attacker would need physical access to your device and your second factor (like biometrics or PIN). Compromising the cloud alone is not enough.

No, since all passwords and other sensitive data is encrypted with the security chips of the respective devices of our end-users. By design, we cannot access passwords.

‍Yes, heylogin is fully GDPR compliant. We follow a strict privacy-first approach:

Login data stays on your devices: Usernames, URLs, and passwords are never processed on our servers. They are stored only on your devices and synchronized using end-to-end encryption. That means even we can't see your login data - and neither can any third party.

Minimal data collection for support: We collect device metadata only when necessary for troubleshooting and support.

All processing is done in line with the GDPR. You can find the full details in our Data Processing Agreement (DPA).

No. We only work with European subprocessors, in line with our strict privacy standards and full GDPR compliance.

The heylogin production environment is located in Nürnberg, the standby server in Falkenstein. Backups are stored separately in Frankfurt (all mentioned cities are located in Germany). All data centers are ISO 27001 certified.

This Data Processing Agreement automatically enters into force on the day the main agreement is signed and remains in force until the main agreement is terminated.

If desired, it can also be signed by both parties. A request for this can be made via our partner Yousign. This enables the contractor (heylogin GmbH) and client (you) to digitally sign the DPA in a legally valid manner: Submit request via Yousign

The Terms of Use apply to all users of heylogin, i.e. the free private accounts, but also to employees in a company who use heylogin. The current Terms of Use can be found here: Terms of Use

‍If you have purchased heylogin through our sales team, our Terms & Conditions apply, which can be found here: Terms & Conditions

Our order process via credit card or PayPal is handled by our online reseller and "Merchant of Record", Paddle.com, who also handles order-related inquiries and returns. For information about the Paddle order process and your rights as a customer, please read Paddle's Terms & Conditions and Privacy Policy: Terms & Conditions - Paddle

We aim to answer general support requests within 2 working days (Mon-Fri). Errors that affect the operation will be handled within 8 hours on working days. Critical errors, such as failures of the productive environment, are processed within 8 hours on all weekdays (Mon-Sun).

We strive for an availability of 99.9% on annual average. Through our architecture and technical measures for fail-safety, we have achieved an availability of ~99.95% on annual average in 2022, for example. Contractually, we guarantee an availability of 99% on annual average. For a contractually guaranteed higher availability, please contact our sales team.

We recommend checking out our Status Page. This will give you the ability to subscribe for updates, view uptimes, be informed of any outages, and view historical

The defined Recovery Time Objective (RTO) of the heylogin service is 8 hours. The measured Recovery Time Actual (RTA) is less than 2 hours. The architecture of heylogin allows us to start a replacement instance of our productive environment within a short time. If the data center used by our hosting provider is no longer available, there is a standby server that can be converted into a functioning productive environment within a restart time of no more than 30 minutes. No data loss occurs in this case.

The defined Recovery Point Objective (RPO) is 60 minutes. Encrypted backups of the server-side database are automatically created every hour. The backups are stored for 90 days. This database continues to be actively replicated to the previously mentioned standby server in another data center. With this backup, we protect ourselves against a complete failure of our hosting provider. Within a recovery time of maximum 60 minutes we can start up a new productive environment at an alternative hosting provider. In this case, the heylogin client applications will synchronize login data that is still locally available with the server to reduce the probability of data loss even more.

In the event that heylogin GmbH has to cease operations, we have put clear measures in place: The service will continue to run for at least three months to ensure an orderly transition.

All customers will be informed transparently and in a timely manner. The export function for your logins is already available at any time - and in such a scenario, we'll actively guide you through the process and offer support if needed. This way, we ensure that your digital access remains fully intact, even in exceptional circumstances.