elvix
You came here because an app uses elvix

We handle your sign-in.
That's it.

You probably got here from a "Secured by elvix" badge on a site you use. We're the company that handles your sign-in. No passwords — just passkeys, a 6-digit email code, or Google. We also keep your login history. The app you signed in to never sees your secrets. Here's what that means in plain terms.

How it works Your rights
Database:
delvix· Germany 🇩🇪GDPR:nativeAuth:passwordless
Plain language

We're the door.
The app is what's inside.

When you sign in to an app that uses elvix, your sign-in goes through us. Not the app. We verify your passkey or email code, then tell the app yes or no. The app gets a small signed token that lasts 15 minutes. That's the whole exchange.

So the app never sees your credentials. If the app gets hacked, your identity stays safe with us. If we get hacked, your messages, events, and payments are still safe. They live inside the app, not with us.

One promise

No passwords. Passkeys are phishing-proof. Email codes are device-independent. Google is one tap. Your secrets stay on your device — in a German data centre.

PasskeysEmail OTPGoogle OAuthRS256 + JWKSHttpOnly cookies
Exactly what we hold

What elvix has, and what the app has.

A clean split. We don't see what you do inside the app. The app doesn't see your sign-in credentials.

elvix has
Your email address.
the app has
Your profile (name, photo, preferences). Never your sign-in credentials.
elvix has
Your passkey public key. The private key never leaves your device.
the app has
Whatever you create inside the app: messages, events, photos, orders.
elvix has
Linked OAuth identities (Google, etc.) and any verified emails.
the app has
Your relationship to other users on that app.
elvix has
Login history: when, country (anonymised), browser.
the app has
Your payments and financial history (handled by the app's payment processor, not by elvix).
elvix has
Which apps you’ve authorised (e.g. "DanceClub, since 12 March 2026").
the app has
A short-lived "yes, signed in" token (15 minutes; we issue it, the app stores it).
GDPR · Art. 15–22

Your rights, in plain English.

Every right the EU GDPR gives you, mapped to a button you can click. No emails to chase, no forms to fax.

Export your data

Art. 20

Download everything elvix has on you, as JSON. Takes ~2 seconds.

Open in my account

Delete your account

Art. 17

Permanent. Removes your elvix record + revokes every app token.

Open in my account

See login history

Every sign-in for 90 days: when, where (country), which device.

Open in my account

Revoke an app

Pull access from any app that uses elvix. The others keep working.

Open in my account

Correct your data

Art. 16

Change email or recovery contact. Old email gets a heads-up.

Open in my account

Lodge a complaint

Art. 77

Complain directly to your local data-protection authority.

Open in my account
Sovereignty

Germany. Period.

Your data is processed in EU data centres and never leaves.

Your account lives in a Postgres database on German soil. Nothing about your sign-in touches a US sub-processor.

If you ask "where is my sign-in data right now," the answer is one country and one company.

RegionGermany 🇩🇪
Sign-inPasswordless
Token signingRS256 + JWKS
Encryption at restAES-256
MethodsPasskey · OTP · OAuth
Powered by
delvixManaged Postgres · EU
delvix.cloud

Your database, in safe hands.

The Postgres database that holds your account sits on delvix. Managed Postgres, EU-only, flat pricing. Built by the same team as elvix.

Continuous backups, 30-day point-in-time recovery, real high availability, zero US data path. We use it for our own product. If we trust it with our auth data, we trust it with our customers' data too.

Visit delvix.cloud
Breach response

If something goes wrong,
here's the timeline.

GDPR Art. 33 + 34 oblige us to act within 72 hours. We commit to faster, and to plain-English communication when it happens.

No active incidents.·Full incident history →
1
T+0–5 min

We detect it.

Monitoring fires within minutes. Engineering on-call acknowledges. Founder paged in parallel.

2
T+5–30 min

We contain it.

If credentials were exposed, we rotate tokens and invalidate sessions. If passwords were exposed (which would mean breaking argon2id, practically impossible), we force-reset every affected account.

3
T+1–6 h

We notify the apps.

Every app using elvix is told directly. They have their own relationship with you and coordinate the next message.

4
≤ 72 h·Art. 33

We notify the regulator.

The competent supervisory authority is notified within 72 hours per Art. 33 GDPR. For our base in Aachen that's LDI NRW.

5
When risk is high·Art. 34

We notify you.

If your account is affected and the risk is high, you receive a direct email. No PR-speak. What happened, what we did, what you should do.

6
Within 14 days

We publish.

Full post-mortem at elvix.is/security/incidents. Timeline, root cause, what changed, what we owe.

If something happens to your account

You hear from us directly. Not a press release. Not through the app. A plain email to the address on file.

Verify contact email
Building an app?

You'd be on the other side of this page.

If you're an engineer who landed here from a "Secured by elvix" badge, yes, this is exactly what your end users see. Four lines of code on your side. This trust page on theirs.

For developers