CIO / CISO Document - April 2026
Impact analysis — HeelonVault deployment
Guide for Information Systems leadership to assess deployment of the on-premise HeelonVault secrets manager within your infrastructure.
Executive summary
HeelonVault is an open-source secrets manager (Apache 2.0), developed in France and deployed entirely on-premise. It centralizes, encrypts, and traces all access to organizational critical secrets (passwords, API tokens, SSH keys, certificates, and sensitive configuration files), without any cloud dependency.
This document evaluates deployment impact for laboratory infrastructure across security, compliance, organization, and technical dimensions.
2. Current context and issues
Laboratories handle sensitive secrets daily (administrator accounts, integration tokens, access keys to critical systems), and fragmented storage creates growing operational and regulatory risk.
Typical situation without a dedicated solution
| Observed situation | Associated risk |
|---|---|
| Passwords shared by email or messaging tools | Leak and no traceability |
| SSH keys stored on local workstations | Loss of control during offboarding |
| API tokens hardcoded in scripts | Accidental exposure in repositories |
| Password-protected spreadsheets | Easy bypass, no audit trail |
| No centralized revocation | Persistent access after employee departure |
3. HeelonVault solution overview
Main technical characteristics
- Language: Rust (performance and memory safety)
- Encryption: AES-256-GCM
- Deployment: On-premise, Linux server & Windows server
- Network mode: Native offline operation, zero outbound cloud flow
- License: Open-source Apache 2.0 - auditable code
- Audit report: Native signed PDF export
Managed secret types
- Credentials and passwords (admin, service, and application accounts)
- API tokens and integration keys (CI/CD, webhooks)
- SSH keys and certificates
- Sensitive documents (configurations and operations procedures)
4. Impact analysis
4.1 Security impact
HeelonVault significantly reduces the attack surface linked to secrets.
- End-to-end protection: all secrets encrypted at rest (AES-256-GCM)
- Role-based access control: read, write, administration assigned per user
- Full traceability: each access, edit, and revocation is logged with timestamps
- Immediate revocation: one-click access cut-off in departure or incident cases
- Exposure risk reduction: fewer plaintext secrets in scripts and files
4.2 Sovereignty and compliance impact
| Criterion | Before | With HeelonVault |
|---|---|---|
| Data location | Scattered, potentially cloud-hosted | 100% internal infrastructure |
| Transfer outside EU | Possible (SaaS) | Impossible (on-premise) |
| GDPR compliance | Partial | Strengthened |
| Source code auditability | Impossible | Yes (Apache 2.0) |
| Actionable audit reporting | Absent | Signed, exportable PDF |
Covered frameworks: HeelonVault aligns with relevant frameworks for laboratory environments:
- GDPR - No sensitive flow outside internal infrastructure
- ISO 27001 / 27002 - Access governance and least privilege
- GLP (Good Laboratory Practice) - Traceability of information system access
- HDS (if health data involved) - Sovereignty and encryption alignment
4.3 Infrastructure impact
- Server prerequisites: Linux (standard distribution) or Windows Server (MSI installer), lightweight resources
- Deployment: Assisted by HEELONYS (Installation Pack includes OS and network hardening)
- Offline availability: operation ensured without internet connection
- Integration: no cloud agent and no third-party SaaS interconnection required
- Maintenance: manual updates (Community) or managed updates (Serenity)
- Downloads: Linux and Windows builds are available on the HeelonVault GitHub releases page
4.4 Organizational impact
- Team vaults: Quality, Infra, R&D, Executive - each team only accesses its own perimeter
- Offboarding management: immediate, traceable revocation with no service break
- CIO/CISO governance: centralized dashboard and autonomous rights management
- Adoption: clear interface, fast onboarding, low learning curve
5. Solution comparison
| CIO criterion | Excel / files | KeePass (local) | SaaS Cloud | HeelonVault |
|---|---|---|---|---|
| Data sovereignty | Partial | Good | Low | Maximum (on-premise) |
| Actionable audit | No | Limited | Medium (vendor) | Native - signed PDF report |
| Team governance | High risk | Complex | Correct | Designed for CIO/CISO |
| Source code auditability | Not relevant | Partial | Impossible | Yes (Apache 2.0) |
| Internet dependency | No | No | Yes | No (native offline) |
| Centralized revocation | No | No | Partial | Yes |
6. Avoided risk scenarios
Scenario 1 - Departure of a system administrator
Without HeelonVault, secrets known by this administrator (root passwords, SSH keys, tokens) may remain active. With HeelonVault, revocation is immediate, centralized, and traceable.
Scenario 2 - Quality or regulatory audit
The organization must prove who accessed which system, when, and why. HeelonVault provides a signed PDF audit report directly usable by auditors.
Scenario 3 - Accidental API token exposure
A developer accidentally pushes a plaintext token into a repository. With HeelonVault, tokens never circulate outside the vault - exposure risk is structurally reduced.
7. Recommended deployment plan
| Step | Action | Owner |
|---|---|---|
| 1 | Inventory existing secrets (types and scope) | CIO + business teams |
| 2 | Define team vaults and role model | CIO |
| 3 | Server deployment and hardening | HEELONYS (Installation Pack) |
| 4 | Progressive secrets migration | CIO + pilot teams |
| 5 | User training | CIO |
| 6 | Enable audit journal | CIO / CISO |
| 7 | Quarterly access review | CIO |
8. Pricing options
| Plan | Cost | Included |
|---|---|---|
| Community | Free | Open-source code, GitHub support, manual updates |
| Installation Pack | EUR 1,500 excl. tax (fixed) | Installation, OS/network hardening, email support in 48h |
| Serenity | Quote-based | Maintenance, updates, premium support, specific evolutions |
9. Conclusion and recommendation
Deploying HeelonVault represents a controlled investment considering covered risks. The solution meets sovereignty, traceability, and access governance requirements expected in laboratory-grade environments.
Recommendation: start with the Installation Pack for fast and secure production rollout on a pilot scope (for example infrastructure team), then extend to all teams.
Ready to secure your secrets?
Let us discuss your context in a 30-minute call.
Document established from public information available on heelonys.fr - April 2026. Publisher: HEELONYS, NANTES.