Security overview

Product architecture

• Zero-knowledge vault - credentials encrypted locally with AES-256-GCM via Windows CNG
• Argon2id key derivation with DPAPI-protected key wrapping at rest
• No cloud sync or telemetry in Personal edition
• Browser extension uses local-only native messaging

Downloads

Installers are published via GitHub Releases. Verify publisher, SHA-256 checksums, and file signatures before installing in enterprise environments.

Security contact file

Our machine-readable security contact is published at /.well-known/security.txt per RFC 9116.

Responsible disclosure

If you discover a security vulnerability in Fortiva or this website, please report it responsibly to security@studio.icmclab.cloud. Include steps to reproduce and impact assessment. We aim to acknowledge reports within 5 business days.

Please do not test against production systems without prior written authorization.