Vault

Security

Last updated: June 2, 2026

1. The strongest part of the security model is also its main limit

Vault's free core experience keeps financial records on the device. For Kasa Plus, transactions and tags are encrypted on the device before they are written to cloud infrastructure. This can reduce exposure, but does not guarantee security on its own.

  • Local storage can reduce some risks but does not remove all risks.
  • Kasa Plus records are stored as application-level encrypted envelopes.
  • If the device is exposed, unlocked, or shared, the data can still be affected.

2. In-app protections are limited helper layers

Features such as Privacy Mode and Simple Mode can reduce what is shown on screen, but they are not a substitute for strong access control, full encryption guarantees, or device-level security. They help with visibility, not with every form of compromise.

  • Privacy Mode only applies if the user turns it on.
  • Simple Mode reduces visible detail but does not remove the underlying data.
  • Anyone with direct screen access may still see what is currently visible.

3. Diagnostics infrastructure creates an additional risk surface

Vault may use Firebase, Google, RevenueCat, and Apple services for usage metrics, phone verification, cloud infrastructure, and iOS subscriptions. These dependencies help operate the product, but they also mean some limited technical data may leave the device.

  • Anonymous usage metrics may be enabled by default.
  • This preference can be turned off in the app.
  • Outages or policy changes in third-party services are not fully under our control.

4. There is no full continuity guarantee for price feeds or reminders

Price data depends on outside sources and in-app processing. Reminders depend on device permissions, operating-system behavior, local scheduling, and notification delivery rules. Because of that, the product should not promise that pricing will always be current or that reminders will always arrive on time.

  • Market data may be delayed, incomplete, or unavailable.
  • Reminder delivery may fail or arrive late on some devices.
  • Battery optimization, silent hours, and notification settings can affect delivery.

5. A large part of security still stays with the user

An unlocked phone, shared-device usage, malicious software, screenshots, automatic device backups, or physical theft are not risks the app can fully control. A user-first security page should say this directly instead of overstating what the app can prevent.

  • Using a device lock remains the user's responsibility.
  • Keeping the operating system updated remains the user's responsibility.
  • Anyone with physical access to the device may still have a visibility risk.

6. The recovery code must be protected by the user

In free local use, records may be lost if a phone is damaged, reset, replaced, or the app is removed. Kasa Plus offers encrypted backup, but support cannot guarantee access to record contents if the recovery code is lost.

  • Data loss remains a real practical risk.
  • Keeping the recovery code safe remains the user's responsibility.
  • Encrypted record contents may not always be accessible without that code.

7. Security claims should stay limited and measured

Vault should not be described as 'fully secure,' 'unhackable,' 'never loses data,' or 'bank-grade.' The correct and user-favoring approach is to describe only the protections that actually exist and to state the remaining risks plainly.

  • This product is not a bank or custodial infrastructure.
  • This product is not a financial-advice or execution service.
  • This page should be revised as the technical architecture changes.