Security of Your Data on Google Workspace

Enpass takes a fundamentally different approach to credential management compared to traditional password managers. Rather than hosting your vaults on Enpass-operated servers, Enpass stores encrypted vault data within your organization's own Google Workspace environment. This page explains the security model that makes this possible and why it keeps your data safer.

Data sovereignty: Your data, your infrastructure

Your encrypted vaults reside in your Google Workspace — on each user's Google Drive for personal vaults, and in shared Drive folders or Shared Drives for team vaults. Enpass, as a company, has zero possession of your vault data. There is no central repository of customer vaults on Enpass servers, so a breach of Enpass infrastructure cannot expose your credentials.

This architecture also means your credential data automatically inherits the compliance posture, data residency policies, and access controls that your organization has already established for Google Workspace.

Zero-knowledge encryption

Enpass is built on a strict zero-knowledge architecture. All cryptographic operations — encryption, decryption, key derivation, and merging — happen exclusively on the user's local device. Data that leaves the device is always already encrypted, and only the user holds the key. For full technical details on vault encryption, see the Vault section of the Enpass Security Whitepaper.

What Google Drive sees

Your Google Drive storage contains only the encrypted vault files — the same opaque, encrypted blobs that exist on the user's local device. Google Drive acts as a "dumb drive." Even if your cloud storage were compromised or accessed by a malicious actor, the vault data would be useless without the user's master password and optional Keyfile.

How sync works securely

When Enpass synchronizes your vault to Google Drive, the process is designed so that your cloud storage never handles unencrypted data:

When you make a change, Enpass updates the encrypted vault file locally and uploads the encrypted file to Google Drive.
On another device, Enpass downloads the encrypted vault file, decrypts it locally, merges any changes, and re-uploads the encrypted result if needed.
All conflict resolution and merging happen on your device — never on a server.

Your data in transit is double-protected: encrypted end-to-end by Enpass (AES-256) and additionally protected by HTTPS/TLS during transport. Even if TLS were somehow compromised, your vault data remains secure.

How Enpass app connects to Google Workspace

When you connect Enpass to Google Workspace, you authenticate directly through Google's login screen. Enpass never sees or handles your Google password. Google issues an OAuth access token that:

Uses delegated permissions only — all Google API calls are executed on behalf of the signed-in user, not independently by the app.
Is stored only on the user's local device, inside the Enpass app database.
Is encrypted with the user's master password alongside the rest of the vault data.
Is never transmitted to any Enpass server — they never leave your device in usable form.

What this means for your organization

Concern	How Enpass addresses it
Data residency	Vaults live in your Google Workspace, subject to your existing data residency and data region policies.
Vendor breach risk	Enpass holds no vault data on its servers. A breach of Enpass infrastructure cannot expose your credentials.
Compliance	Your credential data stays within your trusted boundary. No additional third-party data processor for vault storage.
Encryption standard	Your data is always encrypted at rest using industry-standard AES-256, with the encryption key derived using 320K iterations of PBKDF2-HMAC-SHA512 to counter offline brute-force attacks.
Zero knowledge	Neither Enpass as a company nor Google can decrypt your data. All crypto operations happen on-device.
Certifications	Enpass is ISO/IEC 27001 certified and SOC 2 Type II audited.