Public AGPL-3.0 codebase. France-hosted. HMAC-SHA-256 audit chain verifiable any time, in a single command.
Five technical differentiators, verifiable in the codebase. Not a marketing promise but cryptographic artefacts your CISO can audit themselves.
Most B2B vaults store the vault's private key, encrypted by your master password. Aegirex does not. The private key is generated and held exclusively in your browser (and on your hardware passkey, if you activate one). Our database contains no means of reconstructing it, even if it were to leak tomorrow.
Every action is chained with HMAC-SHA-256. Any retroactive tampering is detected in O(1). A public verification command lets your CISO confirm the integrity of the chain without trusting us.
A personal account plus N memberships in organisations, each paid for by that organisation. Pivot-account model: you never pay out of pocket for your employers.
SAML 2.0 and OIDC included on Free. No paid add-on. A team of three deserves the same protection as a mid-market group.
Secret names, types, URLs: everything is encrypted in the browser, just like the content itself. If our database leaks, the attacker cannot even see that you have a secret named "Production AWS". On a par with Passbolt v5.4+ on this point.
Symfony 7.4 + MariaDB + Redis. Docker Compose in 5 minutes. No feature gated behind the SaaS: it is the same code.
No CLOUD Act. No extra-European sub-processor. An infrastructure that we operate, and that you can audit line by line.
A single region in the Paris area, operated by Scaleway. 3 availability zones, including one in a nuclear-bunker datacenter (DC3 Ile-de-France). Aegirex (the software) is not SecNumCloud-qualified; that qualification applies to the host, and Scaleway is on a SecNumCloud qualification trajectory.
French law, French court, standard DPA drafted in French. Your data does not leave European soil. DPO named, Art. 17/20 rights tooled.
Server, clients, extensions: it is all on GitHub. No closed "Enterprise" module. If Aegirex were to disappear tomorrow, your deployment keeps running.
Hardened Docker image, Symfony binary, clear docs. Symfony 7.4 + MariaDB 11 + Redis stack. Air-gap supported. You stay sole master.
Demonstration on the demo instance. No promises: only what the code does.
Verbatims de design partners qui contribuent à façonner Aegirex depuis sa phase pilote. Identités préservées à leur demande.
Nous gérons des secrets clients pour trente missions en parallèle. Le critère n°1 n'est pas le prix : c'est que ces secrets ne puissent pas être lus par un éditeur tiers, même contraint.DSI · ETI conseil 250 personnes · Île-de-France
Le secret professionnel m'interdit un coffre soumis au CLOUD Act. Aegirex est techniquement incapable de lire ce qu'on lui confie, et c'est vérifiable dans le code source.Associé · cabinet d'avocats 30 associés · Lyon
Une association n'a pas le budget d'un audit RSSI externe. Le code AGPL-3.0 public nous offre cet audit gratuitement, fait en continu par la communauté.Trésorier · association loi 1901 12 salariés · Paris
L'audit chain HMAC, c'est ce que nos investisseurs comprennent en trente secondes : on peut prouver l'intégrité des opérations sur les secrets, sans confiance préalable.CTO · start-up SaaS 8 personnes · Nantes
Mes données fiscales clients ne sortent pas de l'Union européenne. C'est ma seule exigence non négociable, et Aegirex la garantit par contrat et par technique.Expert-comptable associé 45 collaborateurs · Bordeaux
SSO, 2FA, passkeys, HMAC audit chain, GDPR export: everything is on the free tier. You pay for team governance, support and contractual guarantees.
Compared against the aggregate of US consumer-grade SaaS solutions. No competitor is named: internal marketing rule, you identify them on your own.
| Criterion | Aegirex | US SaaS | Shared spreadsheet |
|---|---|---|---|
| Zero-knowledge encryption | ✓ | ✓ | - |
| France-exclusive hosting | ✓ | - | ✓ |
| French jurisdiction in the contract | ✓ | In progress | ✓ |
| Outside the CLOUD Act | ✓ | - | ✓ |
| Publicly auditable code (AGPL-3.0) | ✓ | In progress | - |
| Verifiable HMAC audit chain | ✓ | - | - |
| Full self-hosting | ✓ | - | - |
| SSO on the free tier | ✓ | In progress | - |
| Recovery on loss | designated successor | vendor cloud account | lost |
Compared against the aggregate of US consumer-grade SaaS, public data 2026. Those products remain quality tools on their own terms; this table highlights the structural criteria for a regulated European CISO buyer.
Technical answers, verifiable in the codebase. If an answer is not in the public docs or the repo, it is not true.
On sign-up, an OpenPGP keypair (X25519 / Ed25519) is generated locally by OpenPGP.js. The private key is encrypted by Argon2id (5 passes, 256 MiB, parallelism 4) with your master password. All crypto operations happen client-side. The server never sees plaintext.
Yes. The entire codebase (server, clients, extensions) is published under AGPL-3.0 on GitHub. No closed "Enterprise" module, no open-core. All SaaS features are available when self-hosting.
Run the public audit-chain verification CLI command on your instance. It re-reads the HMAC-SHA-256 chain and flags any tampering, even of a single entry. Reproducible by your CISO, pluggable into cron and automated monitoring.
Four plans. Free for life up to 3 users (full security, SSO included). Team at €4/seat/month (annual) from 4 users, free for 12 months for non-profits, researchers and start-ups under 1 year old. Business at €7/seat/month (annual) with SCIM, 99.5% SLA, 1-year audit log. Enterprise on request (negotiated DPA, phone support, escrow opt-in).
This is the fundamental trade-off of zero-knowledge: without the key, neither Aegirex nor anyone else can recover your secrets. Two recovery mechanisms are provided: printable recovery codes generated at sign-up, and a designated-successor procedure using Shamir's Secret Sharing across N trusted parties you designate yourself.
The Aegirex architecture is compatible with SecNumCloud requirements (zero-knowledge, signed audit, French jurisdiction, traceability). Actual qualification requires (1) a host already SecNumCloud-qualified (Outscale, Cloud Temple), (2) a PASSI audit on the deployed instance, (3) governance documentation on the client side. We provide the crypto whitepaper and the technical evidence required for the dossier.
The Free plan is free for life for independents and small teams of up to 3 users, with no credit card: your vault, your keys, your control. For larger teams, 7-day trial on the Team plan (also free for non-profits, researchers and start-ups). Or clone the code and self-host in five minutes.
