Security & Open Source

How CS2 Vault handles your data · Last updated: July 2026
The short version: CS2 Vault is a local-first desktop app and the entire codebase is public. Your portfolio never leaves your machine, and you don't have to take our word for it — read the code yourself.

1. Local-first: your data stays on your computer

Everything you put into CS2 Vault — holdings, trade history, cost basis, tax settings, API keys — is stored in a local database on your own machine. There is no CS2 Vault account, no cloud sync, and no server of ours that ever receives your portfolio. If you unplug the network, the app keeps working with your data intact.

For a tool that knows what your portfolio is worth and estimates your tax position, we think this is the right default: the most secure server is the one that doesn't exist.

2. Open source: audit it, don't trust it

The full source code is public at github.com/Rudizzle123/cs2vault-electron — the app you download is built from that repository. That means anyone can verify the claims on this page:

If you find a security issue, please open an issue on the repository (or report it privately via GitHub's security advisory feature).

3. What the app connects to

The app makes direct requests from your computer to a small set of third-party services — pricing (CSFloat, Steam Community Market, optionally Pricempire), foreign-exchange rates (frankfurter.app / open.er-api.com), and GitHub Releases for update checks. These go straight from your device to the provider; we don't proxy or log them. The full list and what each receives is in our Privacy Policy.

4. Steam credentials (upcoming storage-unit import)

Today, inventory import uses only Steam's public inventory endpoint — no login, no credentials. A planned Vault Pro feature will import storage-unit contents, which Steam only exposes to a logged-in game session. When that ships, here is how credentials will be handled:

Because the code is open source, this design will be verifiable in the repository when the feature ships, not just described here.

5. Payments

Vault Pro payments are handled entirely by Paddle as merchant of record. Your card details go to Paddle, never to us or through the app. The app itself only ever handles your licence key. Details are in the Privacy Policy.

6. Honest limits

No software is "unhackable" and we won't claim otherwise. The local-first design means the main thing protecting your data is the security of your own computer and OS user account — the same boundary that protects your documents and browser profile. Keep your OS updated, use disk encryption if the machine is shared or portable, and treat exported JSON backups as sensitive files, because they contain your full portfolio in plain text.

CS2 Vault is developed by a solo developer. Open-sourcing the code is a deliberate part of the security posture: more eyes on the code than one person could ever provide.


This page describes the app's architecture in good faith as of the date above. It is not a warranty or a guarantee of security. See the Terms and Privacy Policy for the legal terms that apply.