Skip to main content
Driftstack DRIFTSTACK

Account

Privacy & security

Password, two-factor authentication, active sign-ins, connected accounts, and control over your data. Changes here affect all sessions, profiles, and webhooks under this account.

Your data is sealed

Profiles are client-encrypted — Driftstack moves opaque bytes and can't read them.

Profile encryption

AES-256-GCM, sealed

Encrypted before it reaches us; the server stores ciphertext only.

Tenant isolation

Cryptographic

A wrong account cannot decrypt your data — enforced by math, not policy.

Secret access

Always audited

Every credential read lands in your audit log.

Full model at driftstack.dev/trust · your data, your call — export or delete anytime from the danger zone.

Security

Password + recovery options.

We email you a magic link to confirm. The link expires after 60 minutes; old sessions stay signed in until they naturally expire.

Two-factor authentication

Add a TOTP code from your authenticator app on top of your password. Recovery codes are issued at enrollment — store them somewhere safe; without your authenticator AND your recovery codes, account access requires support intervention.

loading…

Active sign-ins

Browser sessions where you're signed in to the dashboard. Distinct from the automation sessions you run in the Driftstack desktop app.

  • Sign in to load your active sessions.

IP omitted for privacy. The "current" session is the one you're using right now and can't be revoked from this list — sign out from the menu instead.

Connected accounts

IDPs (Google / GitHub) linked to your account. Each link lets you sign in via that provider. Revoking the link on the provider side (e.g. Google → Security → Third-party access) automatically marks it inactive here on next sign-in attempt; password sign-in continues to work either way.

  • Sign in to load your linked accounts.

Recent activity

API key mints + revokes, session lifecycle events, and other account changes. Newest first; filtered to your own account.

  • Sign in to load recent activity.

Danger zone

Account deletion is irreversible. All sessions, profiles, API keys, and webhook endpoints are immediately revoked, and stored account data is purged on the schedule in the privacy policy. Invoice history retained per Dutch tax law (7 years) — not deletable on request.

Deletion is currently processed by emailing [email protected] so we can confirm + walk the data-portability export with you before the irreversible step.