Zero-knowledge service

Thanks to end-to-end encryption
heylogin GmbH does not see any logins
2-factor secure as standard and
only decryptable via hardware
Modern cryptographic algorithms
XSalsa20 + Poly1305 and Curve25519

Strict separation between vaults and users

Logins are encrypted in strictly separated vaults with the security chips of the respective user devices. This allows normal users of an organisation to access their personal vault and all team vaults for which they have permissions.

In addition, all vaults within an organisation are also encrypted with the security chips of the admins. This makes it possible to cryptographically restore an account if a device is lost or needs to be replaced. In terms of security, however, admins do not have access to the passwords in the personal vaults.

All access, whether by admins or users, is end-to-end encrypted and requires the respective security chip for decryption. Our platform offers a strict security architecture where we as heylogin GmbH have no access to your logins.

Hardware-based end-to-end encryption


Synchronisation of the encrypted vaults

All vaults belonging to a user are automatically synchronized in the background. All devices, i.e. apps and browser extensions, are connected to the cloud via a streaming connection and receive vault updates immediately. The heylogin cloud serves as a simple data storage and has no means of decrypting the vaults.


Unlocking the security chip

If a browser extension requests decryption, the associated device is notified. The security chip is now unlocked locally on the device using a second factor, such as fingerprint, face unlock or PIN. The unlocked security chip now generates a temporary key. This is transmitted end-to-end encrypted to the browser extension.


Temporary key decrypts the vaults

The key received in this way is used by the browser extension to decrypt the synchronised vaults. The sensitive data can now be used to log the user into websites. In addition, changes can be made to the data, which is automatically synchronized.

The explanations on this page are simplified for easy understanding.
Details on cryptography and security protocols can be found in the Security Whitepaper.

heylogin supports


Security Key

Touch ID / Windows Hello



heylogin GmbH is based in Braunschweig. Our productive system is operated by Hetzner in Nuremberg. A standby server is operated in Falkenstein, which can be quickly switched to in an emergency. Independent backups are currently stored at IONOS, which can be used in the event of a complete failure at Hetzner.

The ISMS of heylogin GmbH is ISO 27001:2022 certified. heylogin is GDPR-compliant and only uses European sub-processors.

The security whitepaper about our end-to-end encryption

Thank you! Your submission has been received!
Beim Senden der Daten ist ein Fehler unterlaufen. Versuchen Sie nochmal.