BVWA (Web API) The public-facing service handling authentication and storage of encrypted secret blobs. It possesses no decryption logic.
BVKS (Key Service) The isolated cryptographic engine performing all encryption and decryption in locked memory. It never persists secret values.
Secret A sensitive key/value pair (e.g., API tokens, database credentials) stored as ciphertext.
Workspace A logical grouping of environments, typically representing a specific project or department.
Environment
The deployment scope, such as production, staging, or development.
SUK (System User Key) The top-level customer key wrapped by the KSK.
WSK (Workspace Key) A key specific to a workspace, wrapped by the SUK.
EVK (Environment Key) A key specific to a deployment environment, wrapped by the WSK.
DEK (Data Encryption Key) A derived key (via HKDF) used to encrypt the actual secret payload.
Zeroization The immediate overwriting of volatile memory segments to ensure cryptographic material cannot be recovered post-operation.
POPIA Protection of Personal Information Act; the South African regulatory framework governing the management of customer metadata.
CLOUD Act Immunity The legal status of Rundata Systems as a non-US entity with no corporate nexus in the United States, protecting data from extraterritorial warrants.
Sovereign Hosting A deployment model where BlindVault is provisioned on infrastructure physically located within a specific nation's borders.