> ## Documentation Index
> Fetch the complete documentation index at: https://docs.idemeum.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Security overview
> Security is the fundamental block of our platform.
## How idemeum is architected
Every login is multi-factor, using the combination of biometrics and certificates.
Idemeum mobile app implements MFA based on modern [FIDO2 standards](https://fidoalliance.org/fido2/?ref=docs.idemeum.com).
Sensitive data, such as break-glass credentials, can be accessed offline on mobile and can be pushed to external systems.
When encryption keys are lost, recovery can be performed using the emergency key, or with approval by other technicians.
Validate the compliance of devices using Android and iOS built-in security and signing certificates before granting access to idemeum portal.
Transmitted data is encrypted multiple times, authenticated by both transport layer security (TLS) and the user-managed transit symmetric and asymmetric cryptography keys.
Mobile crypto keys are stored leveraging [Strongbox](https://developer.android.com/privacy-and-security/keystore?ref=docs.idemeum.com) or [iOS security enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/web?ref=docs.idemeum.com) on Android and iOS.
Even when enabling API integrations to perform automated actions on vault data, all encryption is performed with security API key that is not persisted in the cloud.
Idemeum is designed with end-to-end encryption (E2EE) principles. What that means is that when the desktop agent is installed, the encryption key is passed and kept on the desktop. All sensitive information is encrypted with that key, before it goes to the idemeum cloud. Idemeum team is not able to see information such as passwords and sensitive credentials. Even if idemeum cloud is compromised, the sensitive information will not be exposed.
## Compliance
Idemeum is SOC2 Type 2 certified.
