Last updated: 2023-07-05 07:00:52
1. General information
1.1 Your agreement with MySecureVault.ca
2. Our Services
To use any of our Services, you must set up an account. You are entirely responsible for all usage or activity on your account including, but not limited to, use of the account by any person who uses your account, with or without authorization, or who has access to any computer or device on which your account is accessible.
You are responsible for maintaining the confidentiality of your MySecureVault.ca certificate files and passphrases and for restricting access to your account. You may share an account with any other party, temporarily or permanently, and you agree to collectively accept responsibility for all activities that occur under your account, whether or not authorized by you. You agree to immediately notify us of any unauthorized use of your account, certificate files or passphrase, as the case may be.
Your use of the Services is at your own risk. The Services may be modified, updated, interrupted or suspended at any time without notice or liability. We do not bear any liability for any harm or other adverse consequences to you, caused by this. MySecureVault.ca, its owner, employees, agents and others that are involved with the Services are not in any way or form liable for any harm of any kind executed or intended, resulting from or arising through or from the use of any account registered with Services.
2.1 Password Manager
The use of the Password Manager Service (identified as "My passwords" in your user account) is intended to store sensitive username, password and other information related to your personnal accounts on various websites, applications, computers or else. All the information stored in our database is encrypted with what we believe is the most up-to-date cipher suites, and are deemed unbreakable by any known means.
By storing information in the Password Manager Service, you acknowledge that you are authorized to store such information in this Service by the organization where this information can be used, such as your employer, client, partner, website or else.
2.2 Notes Manager
The use of the Notes Manager Service (identified as "My notes" in your user account) is intended to store unstructured sensitive information of any kind. All the information stored in our database is encrypted with what we believe is the most up-to-date cipher suites, and are deemed unbreakable by any known means.
By storing information in the Notes Manager Service, you acknowledge that you are authorized to store such information in this Service.
2.3 Files Manager
The use of the Files Manager Service (identified as "My secret files" in your user account) is intended to store sensitive files of up to 15MB of any kind. All the files and files metadata stored in our database are encrypted with what we believe is the most up-to-date cipher suites, and are deemed unbreakable by any known means.
By storing files in the Files Manager Service, you acknowledge that you are authorized to store such files in this Service.
2.4 Certificates Manager
The Certificates Manager Service is intended to manage which certificates are authorized to access your account. When a certificate is issued and active, it can be used to access, edit and delete all the data in your account, as it can be used to issue, revoke and delete certificates.
When a certificate is issued, it is registered and encrypted in our database, and permitted to access only the account by which it was issued. After issueing a certificate, it must be downloaded before it can be used.
All certificates issued are valid for a period of 365 days. Once a certificate is expired, it can no longer be used to login to your account, so you must issue and download another certificate file that can access your account BEFORE your certificate is expired. If an expired certificate is the only one that was authorized to access your account and you did not issue and download a new one before the expiration date and time, you will lose access to your account and your data will be deleted from our database.
When a certificate is revoked, it will no longer be allowed to access your account. If a session is already logged in with this certificate, it will not be able to refresh the page or perform any action again, like adding, editing, deleting or downloading anything. The session will be logged out the moment a link is clicked on our website. However, if the main page is already loaded and the user logged in does not refresh the page after the certificate is revoked, this user would be able to browse existing records.
After a certificate is revoked, it can either be re-instated, or entirely deleted from our database. If you re-instate a certificate, you give it back full access to your data. If you DELETE a certificate from your account, it will never be able to access your account again, since its Data Encryption Key (DEK) would also be deleted at the same time.
YOU ARE SOLELY RESPONSIBLE OF KEEPING YOUR CERTIFICATE FILES SECURE. EVEN THOUGH CERTIFICATE FILES ARE ENCRYPTED USING YOUR PASSPHRASE, IF THEY FALL INTO THE WRONG HANDS, THE ENCRYPTION SCHEME MAY NOT BE STRONG ENOUGH TO WITHSTAND ATTACKS FROM GOVERNMENT AGENCIES OR VERY MOTIVATED HACKERS. WE TAKE ABSOLUTELY NO RESPONSABILITY IF YOU DO NOT HANDLE YOUR CERTIFICATE FILES CORRECTLY.
3. Permitted, restricted and prohibited use
Your access to and use of the Services is subject to these Terms and all applicable laws and regulations. We reserve the right, at any time, in our sole discretion, with or without notice, to terminate the accounts of, and block access to the Services to any users who infringe any applicable laws or these Terms.
3.1 Permitted use
You agree that you should use our Services as described in the "Our Services" section of these Terms, to store sensitive information that you know you have the right to store using our Services. You agree that you should only store information that you are authorized to possess, and that is not against any applicable laws or regulations.
You are authorized to create as many accounts as you wish, and you can share an account with as many users as you wish. Each account has a 100MB storage limit, so if you need more storage space, you can open other accounts.
You are authorized to try to hack into our website and server to test its security. However, we require that you disclose any vulnerability, attack vector, exploit or proof of concept, be it a zero-day or publicly known for one of the products used on our servers or in our applications code, to the following email address: firstname.lastname@example.org
. If we have received donations when a flaw is disclosed, any amount remaining in our PayPal account or Bitcoin wallet could be used to give a bug bounty. The amount will be determined depending on the severity and impact of the vulnerability discovered.
3.2 Restricted and prohibited use
You agree that you should never attempt to bring our website down by means of Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks of any kind.
You agree that you shall not use our Services to:
- use, assist, encourage, or enable others to use the Services for any unlawful, illicit, illegal, criminal or fraudulent activities, including but not limited to, use of stolen credit cards, credit card fraud, financial fraud, cryptocurrency fraud, cloaking, extortion, blackmail, kidnapping, rape, murder, sale of stolen credit cards, sale of stolen goods, offer or sale of prohibited and dual-use goods, offer or sale of controlled substances, identity theft, hacking, pharming, phishing, scraping in any form or scale, digital piracy and other similar activities;
- assault, interfere, gain unauthorized access, deny service in any way or form to any other network, computer or node through our Services;
- exploit children in any way, including audio, video, photography, digital content, etc.;
- violate, infringe, or misappropriate other people's intellectual property, privacy or other legal rights;
- share anything that is illegal, abusive, harassing, or otherwise objectionable;
- transmit any viruses or other computer instructions or technological means that disrupt, damage, or interfere with the use of computers or related systems;
- interfere with or disrupt the integrity or performance of the Service;
- take any action that imposes or may impose an unreasonable or disproportionately large load on our infrastructure;
- sublicense, sell, resell, transfer, assign, distribute or otherwise commercially exploit or make available to any third party the Services in any way;
- build a product using similar ideas, features, functions or graphics of the Service or copy any ideas, features, functions or graphics of the Services;
- claim that you are the representative or agent of any of the Services, including any of its functionality;
- threaten, stalk, harm, or harass others, or promote bigotry or discrimination;
- violate general ethic or moral norms, good customs and fair conduct norms;
- use the Services for anything other than lawful purposes;
- to use the Services for any military purpose, including cyber warfare, weapons development, design, manufacture or production of missiles, nuclear, chemical or biological weapons;
- to otherwise infringe or circumvent these Terms.
We reserve the right to refuse service, suspend accounts or limit access to the Services in our sole discretion. Such suspension or access limitation may be implemented by MySecureVault.ca instantly and without any indication, notice or refund. We may suspend your account for clarification, investigation or request you to explain your actions and provide additional information. If your account has been suspended, you must contact us for further information. We may suspend your user account for a reasonable period of time before we terminate a user account permanently.
You access and use the Services in your country on your own initiative, and you solely are responsible for complying with your local laws and regulations if and to the extent such laws are applicable. We reserve the right to limit, in our sole discretion, the availability of the Services or any portion thereof, to any person, entity, geographic area, or jurisdiction, at any time.
You are disallowed to connect and use the Services if you are a minor, if you have been or are prohibited to access the Services, or if your account has been suspended or closed due to any reason.
We encourage you to let us know about the violation of these Terms by any of MySecureVault.ca users; in case of such violations, we may take appropriate action at our sole discretion.
We may obey subpÅ“nas and court orders if they are valid in Canada.
WE CANNOT COMPLY WITH ORDERS TO DECRYPT THE DATA OF OUR USERS. AUTHORITIES ARE LEFT ON THEIR OWN TO TRY AND DECRYPT THE DATA THAT A USER MAY HAVE STORED IN OUR DATABASE. WITHOUT ACCESS TO A USER'S CERTIFICATE FILE, SUCH DECRYPTION ATTEMPS ARE FUTILE.
5. Disclaimer of warranties
Reasonable efforts are taken to improve the accuracy and integrity of the Services, but complex software is never wholly free from defects, errors and bugs. We give no warranty or representation that the Services will be wholly free from defects, errors and bugs, such as downtime, loss of data, corrupt data, service delay, mistakes, out-of-date information, or other. Notwithstanding any other provision of these Terms, we reserve the right to change, suspend, remove, or disable access to the Services, or any functionality comprising a part of the Services at any time without notice. In no event will we be liable for making these changes. We do not warrant and will not have any liability or responsibility for your use of the Services or other products or services we may provide. We may also impose limits on the use of or access to the Services, for any reason and without notice or liability. Our Services may be unavailable from time to time due to human, digital, mechanical, telecommunication, software, and other failures. We cannot predict or control when such downtime may occur and cannot control the duration of such downtime.
THE SERVICES (INCLUDING, WITHOUT LIMITATION, OUR SOFTWARE, MOBILE APPLICATIONS, SERVICES AND WEBSITE) ARE PROVIDED "AS IS" AND WITH ALL FAULTS. WE MAKE NO REPRESENTATION OR WARRANTY WHATSOEVER REGARDING THE COMPLETENESS, ACCURACY, ADEQUACY, SUITABILITY, FUNCTIONALITY, AVAILABILITY, OR OPERATION OF THE SERVICES. YOU ACKNOWLEDGE THAT WE DO NOT HAVE CONTROL OVER YOUR USE OF THE SERVICES, AND WE DO NOT WARRANT THE PERFORMANCE OR RESULTS THAT MAY BE OBTAINED THROUGH YOUR USE OF THE SERVICES. YOU ASSUME ALL RISKS AND RESPONSIBILITY FOR YOUR USE OF THE SERVICES AND FOR ANY LOSS OF OR ERRORS IN ANY DATA OR INFORMATION. TO THE FULL EXTENT PERMISSIBLE BY APPLICABLE LAW, WE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES ARISING THROUGH COURSE OF DEALING OR USAGE OF TRADE. WITHOUT LIMITING THE FOREGOING, WE NEITHER WARRANT NOR REPRESENT THAT YOUR USE OF THE SERVICES WILL NOT INFRINGE THE RIGHTS OF ANY THIRD PARTIES, NOR THAT THE SERVICES WILL BE AVAILABLE FOR YOUR ACCESS OR USE, NOR THAT OPERATION OF THE SERVICES WILL BE ERROR-FREE OR UNINTERRUPTED. PLEASE NOTE THAT SOME JURISDICTIONS MAY NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SOME OF THE ABOVE EXCLUSIONS MAY NOT APPLY TO YOU. IN ADDITION, YOU MAY ALSO HAVE OTHER RIGHTS THAT VARY FROM ONE JURISDICTION TO ANOTHER JURISDICTION.
We shall not be responsible or have any liability for any delay or failure to perform to the extent due to unforeseen circumstances or causes beyond our reasonable control, including, without limitation, failures of third party software (whether open or not), failures of your telecommunication or internet service providers, force majeure, earthquakes, fires, floods, embargoes, labor disputes and strikes, riots, war, novelty of product manufacture or other unanticipated product development problems, and acts of civil and military authorities.
6. Limitation of liability
There are inherent risks in relying upon, using, transmitting, or retrieving any data and/or content on the Internet, and we urge you to make sure you understand these risks before using the Services.
YOUR USE OF THE SERVICES IS AT YOUR OWN RISK. NEITHER MYSECUREVAULT.CA NOR ANY OF ITS PARENTS, SUBSIDIARIES OR AFFILIATES, NOR ANY OF THEIR EMPLOYEES, OFFICERS OR DIRECTORS, SHALL BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR OTHER DAMAGES (INCLUDING, WITHOUT LIMITATION, LOSS OF DATA OR INFORMATION OF ANY KIND, LOSS OF BUSINESS, LOST PROFITS, INTERRUPTION OF BUSINESS, COST OF COVER OR ANY OTHER DAMAGES) ARISING OUT OF OR IN ANY WAY RELATED TO THIS AGREEMENT OR THE USE OR INABILITY TO USE THE SERVICES, WHETHER BASED ON CONTRACT, TORT, STRICT LIABILITY OR OTHERWISE, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN ANY CASE, THE LIABILITY OF MYSECUREVAULT.CA SHALL NOT EXCEED WHAT THE CLIENT PAID TO MYSECUREVAULT.CA IF IT EVER BECAME A PAID SUBSCRIPTION SERVICE, EXCLUDING ANY DONATION MADE TO MYSECUREVAULT.CA OR MR JEAN-FRANÇOIS COURTEAU, AND SHALL NOT INCLUDE ATTORNEY FEES OR ANY OTHER JUSTICE FEE IRRESPECTIVE OF ANY LAWS OR STATUTES THAT MAY PRESCRIBE OTHERWISE.
You agree, at your own expense, to indemnify, defend and hold harmless MySecureVault.ca, its parents, subsidiaries and affiliates, and their officers, directors, employees, agents, distributors and licensees, from and against any judgments, losses, deficiencies, damages, liabilities, costs, claims, demands, suits, and expenses (including, without limitation, reasonable attorneysâ€™ fees, expert witness fees and expenses) incurred in, arising out of or in any way related to your breach of these Terms, your use of the Services, or any of your other acts or omissions.
8. Electronic communications
We never communicate by email with our registered users in any way. Even if you provide your email address upon registration, this information is encrypted in your account and we cannot decrypt it.
In the event that we create a mailing list, registering to this mailing list means that you implicitly agree to receive any and all communications we may send to this mailing list. We agree to never share your email address or any other information to third parties for marketing or other purposes. We commit to provide a link to unsubscribe from said mailing list in each email we send you.
The best source for up-to-date information about our Services and anything related to MySecureVault.ca is through our Twitter account at the following address: https://twitter.com/MySecureVault
9. Class action waiver
Where permitted under the applicable law, class action lawsuits, class-wide arbitrations, private attorney-general actions, and any other proceeding where someone acts in a representative capacity are not allowed. Unless both you and MySecureVault.ca agree, no arbitrator or judge may consolidate more than one personâ€™s claims or otherwise preside over any form of a representative or class proceeding.
10. Contracting entity
The MySecureVault.ca entity with which you are contracting under these Terms is Mr. Jean-François Courteau, owner of the MySecureVault.ca domain.
We reserve the right to modify and update these Terms at our sole discretion, at any time, for any reason, and without liability.
We also reserve the right to modify or update the operation of the Services at our sole discretion, at any time, for any reason, and without notice or liability. We may even suspend the Services entirely, in which event we will notify you in advance unless extenuating circumstances, such as safety or security concerns, prevent us from doing so.
The Terms constitute an agreement between you and us regarding the use of the Services. The parties acknowledge that no reliance is placed on any representation made but not expressly contained in these Terms.
If any provision of the Terms is found to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary so that the Terms shall otherwise remain in full force and effect and enforceable.
You may not assign these Terms or any rights or interest under these Terms or delegate any obligations to be performed under these Terms, without the MySecureVault.ca's prior written consent. MySecureVault.ca can assign its rights and obligations under these Terms to selected third parties without your consent, including but not limited to, in cases of corporate reorganization, merger, acquisitions, sale or transfer of all or substantially all of company assets.
These Terms shall be governed in all respects by the laws of Canada, without regard to its choice of law provisions. You agree that the courts of Quebec jurisdiction in Canada will have exclusive jurisdiction over any and all disputes arising out of or relating in any way to these Terms or the Services.
For all purposes, the French language version of the Terms shall be the original, governing instrument and understanding between you and us. In the event of any conflict between this English language version of the Terms and any subsequent translation into any other language, the French language version shall govern and control.
All the user data we process is encrypted by our user's public key or data encryption key (DEK). We do not have access to this data, so we cannot use it in any way. However, you still have to provide some data, and we may store visitor's data for logging and debugging purposes. Here is all the data we process in our databases:
12.1 Application database
Our user's data is entirely encrypted and we are completely unable to decrypt it. Only the users have the private key can decrypt their Data Encryption Key. The application data is essentially the content of the website, which is not encrypted because there is no reason to do so.
The following data is kept in our database. This is our database's structure:
- "articles" table:
This table contains cleartext data used to provide information on our website, such as Frequently Asked Questions and these Terms.
- "certs" table:
These are all the certificate data and files that have been issued for our users. All the data is encrypted, except the certificate's serial number and the revocation status.
- "encryptionKeys" table:
This table contains the Data Encryption Key (DEK) encrypted for each certificate present in the "certs" table, encrypted asymetrically by RSA encryption.
- "entries" table:
This table contains all the encrypted user entries, be it a password entry, note entry, or file entry. For file entries, it only contains the file metadata, and the files content is kept in the "files" table.
- "files" table:
This table contains the encrypted file content of the files stored in the Files Management Service, and is related to entries of type "file".
- "langStrings" table:
This table contains all the text strings used on our website in all languages.
- "sessions" table:
This table contains session data for our users. Most data is encrypted, except for the session expiration date and time.
- "users" table:
This table is the list of all user accounts. It is that user ID that links certificates, encryption keys, entries, files and sessions. The only information it contains is the date and time of creation and last access, along with a user ID.
12.2 Private data
The following data is kept in a separate, private database for logging, debugging and security purposes:
- "visits" table:
This table contains the following information for each page visited on our site: date and time, ip address, page visited, query string, user agent. Data is purged from this table after 24 hours.
- "blocked" table:
This table contains a list of IP addresses blocked because of suspicious behavior. IPs are automatically deleted from this table after 5 days.
We never share this information with anyone, and this data is not accessible from outside our organization. If government agencies or very motivated hackers were to put their hands on this database, they could link some activities performed on our website with real world people, because it contains the IP address of visitors on our website. The link would be hard to make, and would never disclose what type of activity or data you are storing in our Services. However, it could potentially disclose that you are a user of the Services and that you may possess a certificate that gives you access to encrypted data on our website.
By subscribing to MySecureVault.ca, you agree that we are in possession of such short term logging data and that if this information was to leak, it could expose that you are using the Services.
12.3 Certificates information
The information you provide when creating your account is the information that will be registered in your certificate file. All the information is mandatory, but none of this information is required to be true or verifiable. The information provided upon registration or while issuing supplemental certificates for your account are stored in your certificate files and in our database, and all this information is encrypted using your Data Encryption Key. Because of this, we cannot access this information.
The certificates provided are never identified as being emitted by MySecureVault.ca. The certificate files we provide are self-signed, meaning that they are not linked to any public or private certification authority and provide plausible deniability.
12.4 Sessions information
All the sessions information is kept fully encrypted in your account with the help of your Data Encryption Key (DEK), meaning that you are the only person who can read the detail of your sessions data. However, for good housekeeping reasons, we keep the session expiration date and time in cleartext so we can delete them with a script when the sessions are expired. Any other information, like the user agent, IP address, last activity and certificate used, are kept encrypted so that only you can see this information.
12.5 Cookie files
Cookies used on our website are the following:
- PASSMAN (32 hexadecimal characters)
Session cookie used by PHP to keep track of users across the site and to keep session data. Its value changes on every page load for security purposes.
- msv_sch (64 hexadecimal characters)
Cookie used to keep long term sessions active and secure. If you check the box "This is a public device" at login, this cookie will not be created, because your session will only be valid for 5 minutes. However, for longer sessions (up to 30 days), this unique value keeps your session secure, because the PASSMAN value and the msv_sch value must match to validate your session.
12.6 Data security
We take data security very seriously and take all steps reasonably necessary to secure your data (whether technical, physical, or administrative). However, no company can guarantee the absolute security of internet communications. By using the Services, you expressly acknowledge that we cannot guarantee the security of any data provided to or received by us through the Services and that any information received from you through the website or our Services is provided at your own responsibility.
12.7 Other terms
To ensure the security of personal data, MySecureVault.ca employs various administrative, technical and physical security measures; however, it is your responsibility to exercise caution and reason when using the Services. You will be personally responsible if such action violates any third partyâ€™s privacy or any other rights, or any applicable law. Under no circumstances is MySecureVault.ca liable for the consequences of your unlawful activities, your willful and negligent activities that violate applicable laws or third-party rights, and any circumstances that may not have been reasonably controlled or foreseen.