(no title)

1. We have been very diligent and do not expose any sensitive user related metadata in any public api that is unauthenticated. The API's are protected using authenticated session that are established with unphishable passwordless MFA.

2. There are multiple things to highlight here. First of all, the user credentials use client-side cryptography and there are no keys in the cloud infrastructure to decrypt for attacker or even idemeum team. Second, the credentials are protected with AEAD that adds an additional integrity and authenticity check on the encrypted data. Third, we have diligently provisioned the cloud infrastructure using private vpc, subnets, security groups and role-based access that makes it harder for attacker.

3. idemeum password vault does not persist the user key in the extensions local storage. The key is broken into shares using cryptographic algorithm and distributed using multiple parties. the key is reassembled when a sufficient number of shares are combined and is used on-demand when required and discarded.

4. saving the recovery in the third-party cloud is optional. users can choose to save the recovery key in their personal backup if needed.