Secrets Management
Made in Germany

Central management of secrets, certificates, and dynamic credentials – operated in your Kubernetes clusters.

Learn more

Leading companies trust our technology ↘

UDS
Volkswagen
Liebherr
T-Systems
Vendure
eco
Connext
Portainer
Uelzener Versicherungen
FJD
DWT
OCC
Reiner SCT
Cyrus Industrial
DGS
IEM
nanocosmos
Splix
Schwarze Gruppe
INH
Hades
HiOrg-Server
own3d
Tikfinity
Program51
Buben & Mädchen
Prime Insights
TELTEC
Elevantiq
Moovit
CFTools
Stadt Köln
Vivavis
Avemio Tech
Business Intelligence
Cosanta
Datamints
Rimian
Clade
Cyreen
Inett
Paperless Group
Pikon
PXIO
SaaS Systems
Seven2One
SEWOBE
Taywa
VJupix
UDS
Volkswagen
Liebherr
T-Systems
Vendure
eco
Connext
Portainer
Uelzener Versicherungen
FJD
DWT
OCC
Reiner SCT
Cyrus Industrial
DGS
IEM
nanocosmos
Splix
Schwarze Gruppe
INH
Hades
HiOrg-Server
own3d
Tikfinity
Program51
Buben & Mädchen
Prime Insights
TELTEC
Elevantiq
Moovit
CFTools
Stadt Köln
Vivavis
Avemio Tech
Business Intelligence
Cosanta
Datamints
Rimian
Clade
Cyreen
Inett
Paperless Group
Pikon
PXIO
SaaS Systems
Seven2One
SEWOBE
Taywa
VJupix

Manage secrets securely

Our secrets management is based on HashiCorp Vault and operated as a managed app on the ayedo platform – including HA, auto-unseal, and Kubernetes integration.

Static Secrets

API keys & passwords

Central storage for credentials with versioning, lease management, and audit log. No more secrets in Git or ConfigMaps.
KV Credentials Audit

Dynamic Secrets

Short-lived access

Database credentials, cloud IAM roles, and service accounts on demand – automatically rotated and revocable.
Dynamic Rotation IAM

PKI & Certificates

TLS as a service

Internal certificate authority for mTLS, service mesh, and ingress certificates. Automatic issuance and renewal.
PKI TLS mTLS

Encryption as a Service

Transit engine

Encrypt sensitive data at rest and in transit without your own key management infrastructure.
Transit Encryption KMS

Kubernetes Integration

Native for K8s

Vault Secrets Operator and CSI driver for pods. Secrets as Kubernetes secrets or mounted directly as files.
K8s CSI Operator

EU Infrastructure

Sovereign hosting

Key material and secrets remain on European infrastructure – GDPR-compliant without US cloud dependency.
EU GDPR Sovereignty

Pricing

Managed HashiCorp Vault as part of the ayedo platform – transparent per instance or cluster.

Shared Region

Shared platform · Multi-tenant

€199.95 /month

  • €199.95/month per Vault instance
  • HA setup with auto-unseal
  • Kubernetes Secrets Operator
  • Audit logging included
  • OIDC integration
  • Operated in ayedo cloud region

Dedicated Region

Dedicated cluster · Single-tenant

from €199.95 /month

  • from €199.95/month per cluster
  • Dedicated Kubernetes cluster
  • Isolated Vault instance
  • Custom namespaces & policies
  • Disaster recovery between regions
  • Custom SLAs

On-Premise

In your data center

Custom

  • Vault on your infrastructure
  • HSM integration optional
  • Air-gapped support
  • Enterprise support
  • Compliance-ready
  • Custom SLAs

Comparison with alternatives

Managed Vault on ayedo is the sovereign alternative to cloud-native secret stores from US hyperscalers.

vs. AWS Secrets Manager

Kriterium ayedo AWS Secrets Manager
Jurisdiction
EU / GDPR-compliant
US / CLOUD Act
Multi-cloud
Cloud-agnostic
AWS-only
Dynamic secrets
Vault engines
Limited
PKI
Integrated
ACM separate

vs. Azure Key Vault

Kriterium ayedo Azure Key Vault
Vendor lock-in
Open ecosystem
Azure-focused
Kubernetes
Native operator
Azure-specific
On-premise
Available
Cloud-first
Support
Personal, German
Ticket system

vs. GCP Secret Manager

Kriterium ayedo GCP Secret Manager
Jurisdiction
EU hosting
US company
Encryption
Transit + KMS
Cloud KMS
Audit
Full audit log
Cloud logging
Pricing transparency
Fixed per instance
Per secret/op

Compliance & Regulatory Requirements

The ayedo Software Delivery Platform meets the requirements of current EU regulations. From GDPR to NIS-2 to DORA – our platform is designed for regulated industries and critical infrastructures.

GDPR-Compliant Data Processing

Privacy by Design & Default.

EU data residency (Germany), Customer-Managed Keys (BYOK/BYOHSM), encryption at rest/in transit. ISO 27001-certified data protection management. Support for data subject rights, DPA, incident response. More about GDPR.

NIS-2-Compliant Operations

Resilience for critical infrastructures.

24/7 monitoring, incident response, BCP/DR processes, supply chain transparency (SBOM). EU-based operations, MFA/PAM, vulnerability management, patch processes. Ideal for essential/important entities. More about NIS-2.

DORA-Ready for Financial Institutions

ICT resilience tailored.

ICT risk management framework, documented exit strategies, third-party risk management, TLPT readiness. Structured incident reporting chains, continuous resilience testing, ISO 27001-certified. More about DORA.

CRA-Compliant Software Supply Chain

Security by Design across the entire lifecycle.

SBOM generation, CVE scanning, vulnerability disclosure processes, update management. Signed container images, GitOps-based audit trails, transparent supply chain. More about CRA.

Cloud Sovereignty Framework

Digital sovereignty made measurable.

EU-based operations, open standards, exit capability without lock-in. Designed for SEAL-4 (Full Digital Sovereignty) across all eight sovereignty objectives. No dependencies on non-EU control. More about the Framework.

Data Act-Compliant Portability

Switching without barriers.

Open APIs (OpenAPI), standardized formats (YAML/JSON/OCI), complete exit runbooks, Infrastructure-as-Code portability. Multi-cloud capable, no egress fees, functional equivalence. More about Data Act.

Integrated Compliance Roadmap

Holistic approach.

How ayedo systematically addresses GDPR, NIS-2, DORA, CRA, Data Act, Cloud Sovereignty Framework, ISO 27001/9001. Certifications, processes, technical measures, audit readiness. To overview.

Integration with Polycrate

Vault is part of the Polycrate Software Security Framework and a central pillar for code repository, delivery, and all managed apps.

Managed Kubernetes

Secrets for workloads

Vault Secrets Operator in your managed Kubernetes clusters – without manual secret syncing.
Kubernetes Operator CSI
Kubernetes

Delivery

Secure GitOps deployments

Argo CD pulls secrets from Vault – no credentials in Git repositories.
ArgoCD GitOps Security
Delivery

Observability

Audit & monitoring

Vault audit logs in your observability stack – trace who accessed which secret and when.
Audit Logs Compliance
Observability

You build it. We run it.

Excellent performance and maximum uptime - that’s what we wake up for. And sometimes even in the middle of the night.

270 Million End Users

per month

More than 9 million end users use software we deploy every day, on the internet or on-premise.
User Endanwender Software

99.99% Uptime

annual average

Our managed services are unavailable for less than 1 hour per year on average.
Uptime Verfügbarkeit SLA

MTTD < 5 Minutes

on average

Our granular alerting system detects errors and outages faster than you can say ‘Service Level Agreement’.
MTTD Monitoring Detection

34 Billion Logs

per month

More than 10000 logs per second are collected by our collectors and stored GDPR-compliant.
Logs Observability Ingestion

71 Million Active Timeseries

per month

2.7 million datapoints are measured per second by our monitoring systems.
Monitoring Metrics Datapoints

50 TB Backups

per month

More than 2000 backups are stored daily on our encrypted long-term storage.
Backup Storage Sicherheit