Security, explained clearly

Your vault is yours. Here is what that means.

Security should be understandable before you trust it. This is the plain-English version of how Stax Pass is designed to protect your information—and the limits that come with that protection.

The short version

Your information is locked on your device before it is synced.

Our service is built to store the protected copy needed to sync your vault. It is not meant to hold a readable copy of your passwords, private notes, recovery phrase, or vault keys.

  • Your password is one way to unlock your vault.
  • Your 12- or 24-word recovery phrase is your backup way in.
  • Your email code proves you control an inbox. It does not unlock your vault.
  • Stax Pass support cannot see a secret copy of your vault or make a replacement key.

What happens when you use Stax Pass

Think of the service as a secure delivery system—not a keeper of your open safe.

  1. 1

    You create a password.

    Your device uses it to unlock protected key material locally. Stax Pass does not receive your password as readable text or keep it in a customer-support database.

  2. 2

    Your vault is locked before it travels.

    When you save a password or private note, the app encrypts it before protected records are synced. The server needs the locked record to keep your devices in step; it is not supposed to receive the readable item inside.

  3. 3

    A new device must earn access.

    Email verification and trusted-device approval help stop an unfamiliar device from quietly joining your account. Those checks protect the account entrance; they are not a substitute for your vault password or recovery phrase.

  4. 4

    You hold the backup key.

    Your recovery phrase is another path to unlock your vault on a new device. Keep it private and offline, like a spare house key. The raw words are not sent to our API for safekeeping.

What is meant to stay private

Your readable vault contents, raw password, recovery phrase, and raw vault keys. Encryption is designed to happen locally so these do not need to be readable by our service.

What the service still needs

Your email address, account and device records, protected vault records, wrapped key records, sync information, and security-event history. We need this to operate the account and sync safely.

Password, phrase, and email are different things

Each one has a different job.

Your password

Your everyday way into the vault. Choose a unique, strong password and do not share it.

Your recovery phrase

Your offline backup path if you forget the password. Store it somewhere safe—not in an unprotected note, screenshot, or email.

Your email code

A short-lived account-security check. It helps confirm the email inbox is yours, but it cannot decrypt your vault or replace your recovery phrase.

Please read this before you rely on us

There is no secret reset button.

You lose your password but still have your recovery phrase. You can use the recovery path to regain access and set a new password.

You lose your recovery phrase but still know your password. Sign in, replace the recovery protection, and store the new phrase safely.

You lose both but are still signed in on an unlocked device. Treat that as urgent: set a new password and recovery phrase while you still have access.

You lose both and no longer have an unlocked device. Your vault cannot be decrypted. Stax Pass cannot retrieve it, support cannot reset it, and we do not keep a backdoor.

That may feel strict. It is also the point: nobody else should have the power to open your vault just because they have your email address or can contact support.

What we cannot protect you from alone

Good security still needs your help.

  • Phishing: never give your password, recovery phrase, or six-digit verification code to someone who contacts you. Stax Pass support will not ask for them.
  • An unlocked or compromised device: encryption cannot undo someone already controlling your unlocked phone or computer. Keep your device updated and protected.
  • A weak or reused password: our password protection is designed to make guessing harder, but it cannot make a password that is already known to someone else safe.
  • A lost recovery phrase: it is your responsibility to keep the phrase available and private. We deliberately do not keep a spare usable copy.

The technical reference

What the names mean in practice.

Stax Pass is designed around public, reviewed cryptography—not a secret recipe. These are the tools behind the protections described above.

XChaCha20-Poly1305 Vault encryption

Think of this as the lock and tamper seal on a vault record. It protects the contents from being read and helps the app detect a record that was altered.

Argon2id Password protection

This deliberately expensive process turns your password into temporary unlock material on your device. It is designed to make large-scale password guessing far more costly. It does not make a weak or reused password safe.

RFC 9807 OPAQUE Private proof of your secret

This is the login and recovery proof system. It lets the app and service verify your password or recovery phrase without handing the raw words to the API as a reusable secret.

HPKE, X25519, and HKDF-SHA256 Secure sharing

When secure sharing is used, these tools create a protected copy for the intended recipient rather than exposing a shared vault key as readable data.

The crypto core runs locally on your device, uses secure operating-system randomness, and is designed to fail closed: damaged or unauthenticated protected data should be rejected instead of quietly accepted.

Questions about security? Contact Stax Pass security.