Security of Your Data on Microsoft 365

Enpass takes a fundamentally different approach to credential management compared to traditional password managers. Rather than hosting your vaults on Enpass-operated servers, Enpass stores encrypted vault data within your organization's own Microsoft 365 environment. This page explains the security model that makes this possible and why it keeps your data safer.

Data sovereignty: Your data, your infrastructure

Your encrypted vaults reside in your Microsoft 365 tenant — on OneDrive for personal vaults, and on SharePoint for shared or team vaults. Enpass, as a company, has zero possession of your vault data. There is no central repository of customer vaults on Enpass servers, so a breach of Enpass infrastructure cannot expose your credentials.

This architecture also means your credential data automatically inherits the compliance posture, data residency policies, and access controls that your organization has already established for Microsoft 365.

Zero-knowledge encryption

Enpass is built on a strict zero-knowledge architecture. All cryptographic operations — encryption, decryption, key derivation, and merging — happen exclusively on the user's local device. Data that leaves the device is always already encrypted, and only the user holds the key. For full technical details on vault encryption, see the Vault section of the Enpass Security Whitepaper.

What Microsoft 365 sees

Your OneDrive and SharePoint storage contain only the encrypted vault files — the same opaque, encrypted blobs that exist on the user's local device. Microsoft 365 acts as a "dumb drive." Even if your cloud storage were compromised or accessed by a malicious actor, the vault data would be useless without the user's master password and optional Keyfile.

How sync works securely

When Enpass synchronizes your vault to Microsoft 365, the process is designed so that your cloud storage never handles unencrypted data:

When you make a change, Enpass updates the encrypted vault file locally and uploads the encrypted file to OneDrive/SharePoint.
On another device, Enpass downloads the encrypted vault file, decrypts it locally, merges any changes, and re-uploads the encrypted result if needed.
All conflict resolution and merging happen on your device — never on a server.

Your data in transit is double-protected: encrypted end-to-end by Enpass (AES-256) and additionally protected by HTTPS/TLS during transport. Even if TLS were somehow compromised, your vault data remains secure.

How Enpass app connects to Microsoft 365

When you connect Enpass to Microsoft 365, you authenticate directly through Microsoft's login screen. Enpass never sees or handles your Microsoft password. Microsoft issues an OAuth access token that:

Uses delegated permissions only — all Microsoft Graph API calls are executed on behalf of the signed-in user, not independently by the app.
Is stored only on the user's local device, inside the Enpass app database.
Is encrypted with the user's master password alongside the rest of the vault data.
Is never transmitted to any Enpass server — it never leaves your device in usable form.

What this means for your organization

Concern	How Enpass addresses it
Data residency	Vaults live in your Microsoft 365 tenant, subject to your existing data residency and geo policies.
Vendor breach risk	Enpass holds no vault data on its servers. A breach of Enpass infrastructure cannot expose your credentials.
Compliance	Your credential data stays within your trusted boundary. No additional third-party data processor for vault storage.
Encryption standard	Your data is always encrypted at rest using industry-standard AES-256, with the encryption key derived using 320K iterations of PBKDF2-HMAC-SHA512 to counter offline brute-force attacks.
Zero knowledge	Neither Enpass as a company nor Microsoft can decrypt your data. All crypto operations happen on-device.
Certifications	Enpass is ISO/IEC 27001 certified and SOC 2 Type II audited.