# Architecture

## Overview <a href="#overview" id="overview"></a>

KeeperPAM is a Zero-Knowledge platform, ensuring that encryption and decryption of secrets, connections, and tunnels occur locally on the end user's device through the Keeper Vault application. Access to resources in the vault is restricted to users with explicitly assigned permissions, enabling them to establish sessions or tunnels securely.

Keeper's zero-trust connection technology further enhances security by providing restricted and monitored access to target systems without direct connectivity, while never exposing underlying credentials or secrets.

### Animated Flow <a href="#overview" id="overview"></a>

The video demonstration below outlines the overall data flow and security architecture of KeeperPAM.&#x20;

{% embed url="<https://vimeo.com/1046903326?share=copy&fl=sv&fe=ci>" %}

If the above Vimeo link is not showing, download the mp4 video file below.

{% file src="<https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2Fdq1GSmLWJiw0G4xhH3iW%2FPAM%20Architecture%20-%20March%202026.mp4?alt=media&token=6a78c0fd-1353-4427-afd4-c6c8fa1af7f4>" %}

### Chapters

This security content will cover the key areas of KeeperPAM:

* [Architecture Diagram](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/architecture/system-architecture)
* [Vault Security](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/architecture/vault-security)
* [Router Security](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/architecture/router-security)
* [Gateway Security](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/architecture/gateway-security)
* [Connection and Tunnel Security](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/architecture/connection-and-tunnel-security)<br>