Vault by Tick My Work

Total Endpoint Security.
Zero Compromise.

Granular, policy-driven control over every device, file, and access point in your organisation — enforced at the operating system level. Built for businesses that refuse to leave security to chance.

Request a Demo → Explore Features

vault.tickmywork.com / admin

200

Devices

99.8%

Uptime

30s

Offboard

✓

All policies active — 200 endpointsSecure

→

VPN — 184 active connectionsEncrypted

→

USB blocked — 3 attempts todayBlocked

✓

Incremental backup completeProtected

Security Features

Security Layers

30s

Deployment Time

AES-256

Encryption

Why Vault Exists

Traditional Security Was Never Built
for How You Work Today.

Your workforce is distributed. Your data is everywhere. Your existing tools were designed for a world where everyone sat in the same office. That world is gone.

VPNs Encrypt Traffic, Not Behaviour

Your VPN encrypts the tunnel but exercises zero control over what employees do once connected. Files can be copied to personal drives, USB devices can be mounted, and sensitive data can walk out the door — encrypted or not.

Offboarding Takes Days, Not Seconds

When an employee departs, IT scrambles to revoke access across dozens of disconnected systems. The average enterprise takes 24–72 hours. Vault revokes everything — files, VPN, devices, monitoring — in 30 seconds flat.

You Can't Protect What You Can't See

Without file-level audit trails, automated screenshot capture, device logs, and session monitoring, you're operating blind. Vault provides complete visibility across every endpoint in your organisation.

Data Protection

Your Files. Your Rules.
Absolute Control.

Every company file lives in one secure vault. Every employee sees only what they're authorised to see. No exceptions, no workarounds, no bypasses.

Core

Centralised Vault Storage

All company files stored on a secure network share, accessed via a mapped network drive. Users connect seamlessly without manual configuration — every file in one controlled location.

Policy Engine

Granular Folder Policies

Define exactly which folders each user or endpoint can access. Policies assigned per-agent, per-department, per-location, or as defaults — with configurable priority ordering for complex organisations.

Enforcement

NTFS ACL Enforcement

Three-tier permission model: parent vault gets read-only traversal, allowed folders get full control with recursive inheritance, non-allowed folders get explicit DENY that overrides any group permissions.

Stealth

Access-Based Enumeration

Restricted folders are completely hidden from the user's file explorer. Employees don't just lack access — they have zero awareness that restricted content even exists.

Integrity

SHA256 Policy Verification

Every policy is cryptographically hashed and verified on the agent side before enforcement. Prevents policy tampering or corruption during transit — mathematical certainty that policies are genuine.

Seamless

Automatic Drive Mapping

Network share automatically mapped upon login with retry logic for VPN scenarios where the network takes time to stabilise. Zero configuration required from end users.

Audit & Compliance

Every File. Every Action.
Every User. Logged.

Know exactly who accessed, modified, moved, or deleted any file — with timestamps, user identity, and success/failure status. Your compliance auditors will thank you.

File Operations — Last 7 Days × 24 Hours (14,200+ events)

Quiet Reads Writes Moves Denied

Complete File Operation Tracking

Every file operation — CREATE, DELETE, UPDATE, MOVE, RENAME — tracked with user identity, timestamp, file path, file size, and success/failure status across every endpoint.

Multi-Method Monitoring

Three layers of file visibility: Windows Security Event Log (primary), Watchdog file system events (fallback), and periodic directory polling (safety net). Nothing slips through.

Advanced Filtering & Search

Filter audit logs by user, action type, folder, and date range. Locate specific file operations across your entire organisation in seconds.

Export to CSV / JSON

Download filtered audit logs in CSV or JSON format for compliance reporting, legal holds, or external analysis. Ready for any regulatory framework.

Intelligent Noise Filtering

Automatically filters Office temporary files, lock files, system artifacts, and policy-change bursts. Event deduplication with a 5-second coalescing window eliminates noise.

Audit Statistics Dashboard

Total logs, daily counts, breakdown by event type, top active users, and failed operations — all visible at a glance from the admin panel.

Employee Visibility

See Everything.
Miss Nothing.

Remote teams require trust — and verification. Vault provides automated screenshot capture, live session monitoring, and activity timelines so you know exactly how your workforce operates.

2,880

Captures / Day

30s

Capture Interval

Multi

Monitor Support

8 Days

Auto Retention

Screenshot Monitoring · Real-Time Capture ● Active on All Endpoints

Screenshot Monitoring

Automated Screenshot Capture

Capture screenshots at configurable intervals — default every 30 seconds, up to 2,880 per day. Drift-free timing using monotonic clock ensures precise intervals without cumulative delay.

Multi-Monitor Support

Capture all connected monitors stitched into a single image, primary monitor only, or a specific monitor — configurable per agent for maximum flexibility.

Hour-by-Hour Gallery

Browse screenshots organised by date and hour. Collapsible hour blocks with screenshot count per hour for rapid navigation through an employee's workday.

Per-Agent Configuration

Enable or disable per user. Configure image quality (JPEG 0–100), maximum daily cap, idle behaviour, and retention period independently for each endpoint.

User Activity Timeline

Track keyboard and mouse activity with active/idle state detection. View activity periods with input event counts and screenshot counts per session.

Automatic Retention & Cleanup

Screenshots automatically deleted after the configurable retention period (default 8 days). Storage usage tracked and displayed per user — no manual housekeeping.

Session Tracking

Live Session Monitoring

See who is currently logged in, from which machine, in real time. Active sessions highlighted with status badges for instant workforce visibility.

Session History & Duration

Full login/logout timeline with duration tracking. View past and current sessions with formatted durations and status indicators — Connected, Disconnected, Timed Out.

Session Statistics

Dashboard cards showing total sessions, currently active count, average session duration, and sessions today — with department-level breakdown for workforce analytics.

Remote Session Termination

Force-logout any active user session remotely from the web dashboard. Immediate response capability for security incidents.

Automatic Session Detection

Windows session events are automatically detected via WTS API. No user interaction required — login, logout, lock, and unlock events tracked transparently.

Data Loss Prevention

Lock Down Every Device.
Block Every Leak.

USB drives, Bluetooth peripherals, local drives, email attachments — every data exfiltration vector is controlled from one dashboard. If data shouldn't leave, it won't.

USB

USB Device Control

Block, allow, or set read-only mode for USB storage devices. Manage a device whitelist with approval workflows. Track every device by vendor ID, product ID, and serial number.

Bluetooth

Bluetooth Control

Block or allow Bluetooth connections entirely. Manage a Bluetooth device whitelist with an approval workflow for authorised peripherals — no unauthorised wireless data transfer.

Drives

Local Drive Blocking

Hide and/or block access to local drives (C:, D:, E:, F:) via Windows registry policies. Three modes: Hide & Block, Hide Only, Block Only. The vault drive always remains accessible.

System

Control Panel & Settings Blocking

Restrict access to Windows Control Panel and the Settings app. Prevents users from modifying system configurations. Registry-based enforcement applies within 30 seconds.

Email Policy Controls

Set maximum attachment size limits, define allowed and blocked email domains, and block specific file extensions from being sent via email. Data stays where it belongs.

Transfers

Data Transfer Monitoring

Detect and alert on large file transfers with configurable threshold alerts. Source/destination tracking provides complete data movement visibility across the organisation.

Audit Trail

Device Event Logging

Complete audit trail of all device events — USB connected/disconnected/blocked, Bluetooth state changes, and policy enforcement actions with timestamps and user context.

Web & DNS Security

Control What Your
Network Touches.

Block malicious websites, restrict social media, eliminate ads, and log every DNS query. Category-based filtering with a single toggle — no complex configuration required.

DNS-Based Website Filtering

Block websites by domain using hosts file redirection. Supports both blocklist mode (block specific sites) and allowlist mode (allow only approved sites). Changes take effect immediately with automatic DNS cache flush.

Category-Based Blocking

Block entire categories of websites with a single toggle: Adult Content, Gambling, Social Media, Gaming, Streaming, and Shopping. Rapid organisation-wide policy enforcement.

DNS Ad Blocking

Built-in ad blocking using DNS blocklists at three levels: Basic, Moderate, and Aggressive. Custom blocked/allowed domains supported. All DNS queries tracked for audit.

Browser Control

Allow-specific or block-specific browser modes. Automatically terminates non-allowed browsers (Chrome, Firefox, Opera, Brave, Edge). Integrated with DNS filtering for layered enforcement.

DNS Query Logging

Log all DNS queries with query type, blocked status, response code, and response time. Complete network visibility and forensic analysis capability for every endpoint.

Layered Defence

Four Walls. Four Independent
Layers of Protection.

Network Firewall. Server Firewall. Application Firewall. Data Firewall. Each layer operates independently — a breach in one doesn't compromise the others.

4-Layer Defence System

Comprehensive security with four independent protection layers: Network Firewall, Server Firewall, Application Firewall, and Data Firewall — each configurable independently.

Vault Encryption

Directory-level encryption using Windows EFS via cipher.exe. Data encrypted at rest on vault storage — even physical drive theft yields nothing without proper credentials.

Threat Detection & Ransomware Protection

Monitors for suspicious file activity patterns that indicate ransomware behaviour. Configurable detection thresholds with automatic alerting when threats are identified.

Security Event Logging

Complete audit trail of all security events with severity levels, principal (who), resource (what), operation (action), and IP address tracking. Automatic log rotation.

Security Overview Dashboard

Real-time status display of all four protection layers, recent threat counts, and overall protection status with visual indicators. One glance tells you everything.

Backup & Recovery

Never Lose a File
Again. Ever.

Automated full and incremental backups, point-in-time recovery, file version history, and selective restoration. When disaster strikes, recovery takes minutes — not days.

156

Total Backups

1.8 TB

Data Protected

100%

Success Rate

42,815

Files Backed Up

Restore Points — Last 7 Days

Feb 28Mar 01Mar 02Mar 03Mar 04Mar 05Today

Scheduled Full Backups

Automated daily full backups at a configurable time (default 2:00 AM). Tracks files total, copied, skipped, and failed with duration and size metrics for complete oversight.

Incremental Backups

Daily incremental backups that only process files changed since the last run. SHA256 file hash tracking ensures efficient change detection — minimal storage, maximum protection.

On-Demand Manual Backups

Run full or incremental backups at any time with a single click. Background job tracking with real-time status updates — no waiting, no scheduling constraints.

Point-in-Time Recovery

Restore data to any specific date and time. Visual timeline of all backup points for easy selection. Preview restore results before executing — precision recovery guaranteed.

File Version History

Browse all historical versions of any file across all backups. Restore individual files to any previous version without affecting other data — surgical-grade file recovery.

Selective File Restoration

Restore only selected files or folders rather than the entire backup. Preview mode shows exactly what will be restored before committing — no surprises.

Backup Statistics & History

Dashboard showing total backups, success/failure counts, files backed up, total storage used, and last backup time. Full backup run history with type, status, and metrics.

Automatic Retention Management

Old backups automatically cleaned up after the configurable retention period (default 8 days). Configurable retention versions (default 5) per file — zero manual intervention.

Secure Remote Access

Your Office Network.
Accessible From Anywhere. Securely.

Built-in VPN with AES-256 encryption, auto-reconnect, office network detection, and session analytics — all managed from the same Vault dashboard. No separate VPN vendor required.

Branded

Vault Secure Access

Built on SoftEther VPN, fully rebranded as Vault Secure Access. Provides secure remote access to the vault for off-network users without exposing the file server directly.

Flexible

Dual Connection Modes

Direct IP mode (faster, for port-forwarded setups) and VPN Azure relay mode (works behind any firewall/NAT without port forwarding). Admin selects the active mode from the dashboard.

Management

Remote User Management

Create, update, and delete VPN user accounts directly from the admin panel. Organise users into access groups. Assign VPN credentials via policies — all centralised.

Smart

Office Network Auto-Detection

Agent automatically detects when the user is on the office network (via gateway IP or DNS suffix) and skips VPN, connecting directly. Seamless experience for hybrid workers.

Resilient

Auto-Reconnect & Monitoring

Automatic reconnection on VPN drops with status checks every 10 seconds. VPN events (connected, disconnected, failed, reconnecting) sent to backend for admin visibility.

Encrypted

AES-256-CBC Encryption

All VPN traffic encrypted with AES-256-CBC. Supports up to 100 concurrent sessions with configurable session timeout (8 hours) and idle timeout (30 minutes).

Desktop App

Connection Manager GUI

User-friendly desktop application with connection status display, credential storage (remember me), server selection, and one-click connect/disconnect for seamless user experience.

Analytics

VPN Session Analytics

Track active VPN connections with duration, data sent/received, client and server IP addresses. Full connection event log for security auditing and usage analysis.

Agent Management

Zero-Config Agents.
Total Control.

Agents install in 30 seconds with zero configuration. Admin approval workflows, automatic deduplication, heartbeat monitoring, and offline resilience — all managed centrally.

197

Endpoints Online

Warnings

Offline

60s

Heartbeat

30s

Deploy Time

■■■■■■■■■■■■■■■■■■■■ ■■ ■

Fleet Health Distribution

98.5% Healthy · 1% Warning · 0.5% Offline

Bootstrap

Zero-Config Bootstrap

Agent starts with just a backend server URL — no manual configuration needed. Auto-registers with hostname, IP address, OS version, and system metadata on first run.

Approval

Admin Approval Workflow

New agent enrollments appear as pending requests in the admin panel. Admin reviews and approves or rejects each enrollment. Approved agents receive full configuration automatically.

Dedup

Agent Deduplication

One PC = one Agent ID (SHA256 of hostname). Re-registrations automatically clean up old entries, preventing duplicate agent records in the system.

Revoke

Agent Revocation & Deletion

Admin can revoke agent access, blocking all operations. Deleting an agent triggers auto-cleanup on the endpoint: ACLs revoked, drive unmapped, credentials cleared, service stopped.

Control

Enrollment Control Toggle

Admin can open or close enrollment globally. When closed, no new agents can register, protecting against unauthorised device enrollment on the network.

Health

Heartbeat & Health Monitoring

Agents send heartbeats at configurable intervals (default 60 seconds). Dashboard shows health status (healthy/warning/critical) with time since last contact.

Offline

Offline Resilience

Local SQLite database on each agent caches audit logs, events, and screenshots when the server is unreachable. Events automatically uploaded when connectivity is restored.

Architecture

Dual-Component Architecture

Windows Service (SYSTEM privileges) handles policy enforcement, ACLs, device control, and server communication. User Client (hidden, user session) handles file visibility, screenshots, and activity tracking. Secure Named Pipe IPC.

Admin Dashboard

Command Centre.
Real-Time Visibility.

At-a-glance statistics, agent health monitoring, active alerts, and system resource tracking. WebSocket real-time updates — no manual refresh needed.

Vault Folders

200

Active Agents

Active Policies

14.2K

Audit Logs (24H)

CPU: 23% · RAM: 12.4 GB / 32 GB · Disk: 1.2 TB Free ● WebSocket Connected · Real-Time

Overview Dashboard

At-a-glance statistics: total folders, active agents, active policies, and audit log entries (last 24 hours). Recent activity feed showing the last 10 file operations in real time.

Agent Health Dashboard

Monitor all agents with health status indicators (healthy/warning/critical), last-seen timestamps, agent versions, and online/offline/revoked states.

Active Alerts Panel

Automatic alerts for offline agents, blocked devices, failed policy applications, and revoked agents. Prioritised alert display for quick incident response.

Activity Timeline

Hourly breakdown of all events for the past N hours. Visualise organisational activity patterns and identify unusual behaviour at a glance.

Quick Actions

One-click access to common tasks: create policy, export logs, refresh agent status. Streamlines daily admin workflows without navigating through menus.

System Resource Monitoring

Real-time CPU usage, memory usage and availability, and disk usage and free space on the server — visible from the admin dashboard at all times.

WebSocket Real-Time Updates

Live dashboard updates via WebSocket connections. No manual refresh needed — agent status, events, and alerts update automatically as they happen.

Administration

Secure Admin Controls.
Full Configuration.

Secure authentication, granular configuration, and system health monitoring — everything you need to manage Vault at scale from a single settings panel.

Auth

Config

Database

Health

Admin Authentication

Secure username/password login for the admin panel with session tokens. Sessions expire after 2 hours. IP address and user-agent tracked for security auditing.

Password Management

Change admin password with current password verification, minimum length validation (6 characters), and confirmation matching. Secure credential management built in.

Global Configuration

Configure heartbeat interval, offline grace period, event retention (90 days), screenshot retention (8 days), max screenshot size, and server display name — all from the settings page.

Database Statistics

View total agents, policies, and events count. Monitor PostgreSQL database size for capacity planning and system health oversight.

Deployment & Infrastructure

Deploy in Minutes.
Enterprise Architecture.

One-click server setup, ready-to-deploy agent kits, and a clean 3-tier architecture. Everything is built for rapid deployment and long-term scalability.

One-Click Server Setup

Single batch script (setup_server.bat) handles complete server initialisation: installs dependencies, configures database, creates vault share, sets up firewall rules, and verifies everything.

Easy Server Startup

start_all_servers.bat launches Backend and Web UI with automatic database health checks. Separate scripts available for individual component startup.

Agent Deployment Kit

Ready-to-deploy folder with compiled executables, configuration files, and batch scripts. Zero Python files shipped — fully compiled for security. Supports install-all, service-only, client-only, or VPN-only installation.

Diagnostic & Troubleshooting Tools

Built-in network diagnosis, backend connectivity checks, service status scripts, and PowerShell diagnostics for rapid troubleshooting in any environment.

3-Tier Architecture

Flask Web UI (port 5000) → FastAPI Backend API (port 9000) → PostgreSQL Database (port 5432). Clean separation of presentation, business logic, and data layers.

Comprehensive Data Model

30+ PostgreSQL tables with 15+ optimised indexes covering agents, policies, audit logs, events, sessions, screenshots, backups, device control, VPN, firewall, DNS filtering, and system settings.

Auto-Generated API Documentation

FastAPI auto-generates interactive API documentation (Swagger UI) at /docs endpoint for easy integration and testing by developers and system administrators.

Total Endpoint Security.Zero Compromise.

Traditional Security Was Never Builtfor How You Work Today.