No premium tier, no upsell, no enterprise-only flag. The 18 features below are in every Vault deployment — managed cloud or self-hosted.
Logins, secure notes, cards, identities, custom fields. Each item is encrypted client-side under its own per-item DEK before it ever touches the server.
Policy-driven generator with length, character classes and exclusion rules. Generate per-site or per-org passwords that pass your compliance checks.
Vault items render the right brand mark automatically. Domain extraction + Google Favicon API gives you a recognizable list at a glance.
MV3-native browser extension for one-click autofill and quick item search. Locked to your domain and gated by the native companion when present.
Multi-tenant from day one. Each org has its own KEK, its own audit trail, its own policies. Move users in and out without re-encrypting their personal vault.
Share credentials inside your org with viewer / editor / owner roles. Recipients receive a wrapped DEK they can unwrap with their own KEK — no plaintext over the wire.
Per-user feed of recent vault activity — what was used, when, from where. Catches anomalies before they become incidents.
Append-only event store. Every login, every reveal, every share. Hash-chained (target) and exportable to your SIEM. Compliance reviews stop being archaeology.
TOTP (RFC 6238) and WebAuthn second factors on the vault itself. Not bolted on as a paid upsell — built into the auth flow from day one.
Master password becomes a key in your browser. Login proof is BCrypt-stretched. The server can verify you without ever knowing what you typed.
Generate a printable recovery kit at signup. Lose your phone, lose your laptop, lose your laptop again — your kit gets you back in.
Desktop process for Touch ID, Face ID, Windows Hello. Seals the key-encryption-key in the OS keychain, releases it only on biometric.
Org-wide policies, member management, force-MFA, session revocation. Everything an IT lead needs to keep the vault clean.
Bring credentials in from 1Password, LastPass, Bitwarden, KeePass. Export your data anytime — no lock-in, ever.
Self-serve signup with org provisioning. New users land in a guided flow that gets them productive in under five minutes.
Per-user settings, MFA management, session list, device list, notification preferences, signing keys for shared items.
Postgres-backed, runs on your own infrastructure. We don't have to be in the loop for anything sensitive. Open-source under MIT.
Single Postgres database. No proprietary blob format, no vendor cloud lock-in. The schema is documented and Flyway-migrated.
Book 20 minutes with a Centilio engineer. We'll walk through any feature in detail and show you the running product.
Or email us directly at [email protected]