EU hosted · Zero-knowledge · DPA available

GDPR Compliant
Password Manager

Your secrets are encrypted on your device before they reach our servers. EU data residency on every plan. Zero-knowledge architecture that simplifies your GDPR obligations — not complicates them.

In short

SealedKeys supports GDPR-compliant credential management through EU-only data residency and a zero-knowledge architecture where the provider never holds plaintext secrets. All data is encrypted client-side with AES-256-GCM and protected by TLS 1.3 in transit.

How SealedKeys addresses GDPR

The architecture and features that matter for your compliance team.

EU data residency — all plans

Your encrypted vault is stored on Hetzner infrastructure in Germany. No data is transferred outside the EU. This applies to every plan — not just enterprise. No contractual gymnastics to keep your data in Europe.

Zero-knowledge = minimal processing

GDPR requires a lawful basis for processing personal data. SealedKeys' zero-knowledge architecture means we store only AES-256-GCM ciphertext. We cannot read your secrets — we are not a controller of your secret data, only the encrypted form.

Data Processing Agreement (DPA) available

A GDPR-compliant DPA is available on request. Given the zero-knowledge model, SealedKeys' role as a data processor is minimal — but if your compliance team needs one, email hello@sealedkeys.com.

Full audit log for data access events

GDPR's accountability principle requires you to demonstrate control over personal data access. SealedKeys logs every view, copy, edit and deletion with timestamp, user and IP — ready for DPA audit requests or incident responses.

Instant data deletion

Right to erasure? Delete vault items immediately and they are gone — the ciphertext is removed from the database. No backups with your plaintext secrets exist on our servers because we never had the plaintext.

Encrypted export — data portability

GDPR's right to data portability. Export your entire vault as an encrypted backup at any time — no support tickets, no hoops. The offline viewer decrypts it locally with no internet connection.

The GDPR checklist SealedKeys satisfies

Data stored in the EU (Hetzner, Germany) — no US transfers
Zero-knowledge — we cannot read or process your secrets
Encryption at rest: AES-256-GCM ciphertext only
Encryption in transit: TLS 1.3
Data Processing Agreement available at sealedkeys.com/dpa
Audit log for all data access events
Data portability: full vault export, any time, no support ticket
Right to erasure: delete items permanently, immediate effect

Article 28 DPA — what it covers and why you need one

Under UK GDPR and EU GDPR Article 28, any time you engage a third party to process personal data on your behalf — including a password manager that stores your team's credentials — you must have a written Data Processing Agreement in place. Without one, your organisation is in breach of GDPR regardless of how secure the underlying technology is.

What a DPA must cover

  • Subject matter, duration and nature of the processing
  • Purpose of processing and type of personal data
  • Rights and obligations of controller and processor
  • Sub-processor restrictions and approval process
  • Security measures (technical and organisational)
  • Data deletion or return on contract end

Why your password manager needs one

  • Credentials are often linked to named individuals (personal data)
  • The vault provider processes that data on your behalf
  • Regulators expect a signed DPA for every processor relationship
  • Absence of a DPA is a standalone GDPR infringement
  • Required for ISO 27001, Cyber Essentials Plus and SOC 2 audits
  • Needed before many enterprise procurement teams will approve a tool

SealedKeys provides a pre-signed DPA covering both UK GDPR and EU GDPR Article 28 requirements, available immediately at sealedkeys.com/dpa. Because SealedKeys' zero-knowledge architecture means we hold only encrypted ciphertext — not your plaintext secrets — our role as a data processor is unusually limited. The DPA documents this clearly, simplifying your compliance team's review. No negotiation required for standard terms; custom DPA addenda available on Pro plans.

Common GDPR audit questions — answered

The questions your DPO, auditor or enterprise procurement team will ask when reviewing SealedKeys.

Q.Who is the data controller?

A. Your organisation is the data controller for the credentials and secrets stored in your SealedKeys vault. SealedKeys (SealedKeys Ltd) acts as the data processor — we hold encrypted ciphertext on your behalf but cannot decrypt or read any of it. This controller/processor split is documented in the Article 28 DPA available at sealedkeys.com/dpa.

Q.Where is data processed?

A. All data is stored and processed on Hetzner GmbH infrastructure in Frankfurt, Germany — within the EU. No sub-processors outside the EU are used for vault data. TLS 1.3 is enforced in transit and AES-256-GCM encryption is applied client-side before upload. No data transfer mechanisms (SCCs, adequacy decisions) are required because no data leaves the EU.

Q.What personal data does SealedKeys hold?

A. SealedKeys holds: your account email address (used for authentication and transactional emails), a bcrypt hash of your master password (the plaintext is never transmitted), and AES-256-GCM ciphertext of your vault items. We cannot link the ciphertext to any individual or read its contents. Analytics in the vault interface use Umami, a privacy-first tool that stores no IP addresses and collects no personal identifiers.

Q.How are data breaches handled?

A. SealedKeys undergoes annual penetration testing (most recently May 2026, zero findings) and holds Cyber Essentials certification. In the event of a security incident, we follow a documented incident response process and notify affected customers within 72 hours as required under Article 33. Because vault data is encrypted with keys we do not hold, a breach of our servers would expose only ciphertext with no practical decryption path.

Frequently asked questions

Is SealedKeys GDPR compliant?+

SealedKeys is designed with UK GDPR and EU GDPR in mind. Data is stored on EU infrastructure (Hetzner, Germany) and never transferred outside the EU. The zero-knowledge architecture means we process only encrypted ciphertext — the lawful basis and data minimisation obligations are simplified because we cannot access your secrets. A Data Processing Agreement is available at sealedkeys.com/dpa.

Where is SealedKeys data stored?+

All data is stored on Hetzner servers in Germany (EU). No data is transferred to the US or any third countries. TLS 1.3 protects data in transit. At rest, secrets are stored as AES-256-GCM ciphertext only — never plaintext.

Does SealedKeys offer a Data Processing Agreement?+

Yes. A pre-signed DPA covering both UK GDPR and EU GDPR Article 28 requirements is available at sealedkeys.com/dpa. Given the zero-knowledge model, our role as a data processor is limited — we cannot read the personal data your team stores in the vault. The DPA documents this relationship clearly.

How does zero-knowledge help with GDPR?+

GDPR requires a lawful basis for processing personal data and mandates data minimisation. SealedKeys' zero-knowledge architecture means the server stores only ciphertext we cannot decrypt. This simplifies your GDPR obligations: we are not a controller of your secret data, only an encrypted storage layer.

Can I export all my data for a GDPR data portability request?+

Yes. Export your full vault at any time from Settings → Export. Two formats: encrypted backup (recommended) and plaintext JSON. No support ticket required. The offline viewer decrypts the encrypted backup locally with no internet connection — your data is genuinely portable.

What happens to my data if I cancel?+

You can export your vault at any time before cancelling. After account deletion, vault data is permanently deleted from the database within 30 days. Because we store only ciphertext, there is no plaintext data to recover or retain.

Does SealedKeys appoint a Data Protection Officer (DPO)?+

SealedKeys does not currently appoint a DPO. Under UK GDPR and EU GDPR, a DPO is mandatory only for public authorities, organisations that carry out large-scale systematic monitoring, or those that process special category data at scale. SealedKeys does not process special category data — it stores only encrypted ciphertext — so appointment of a DPO is not required at our current scale. We are registered with the ICO. For any data protection queries, contact hello@sealedkeys.com.

Can we use SealedKeys for healthcare or NHS data?+

SealedKeys is suitable for storing credentials that grant access to healthcare systems — for example, the username and password your team uses to log in to an NHS portal or clinical system. What SealedKeys is not designed to be is a primary store for special category health data (patient records, clinical notes) under GDPR Article 9. The distinction matters: your login secrets are protected by zero-knowledge encryption; actual patient data should remain in a compliant clinical records system. If you are unsure whether your use case is in scope, email hello@sealedkeys.com.

How does zero-knowledge help with GDPR Article 25 (data protection by design)?+

Article 25 requires controllers to implement technical and organisational measures that embed data protection into processing activities by design and by default. SealedKeys' zero-knowledge architecture is that technical measure: encryption is performed entirely on the client before any data leaves the device, so the server is structurally incapable of accessing plaintext. There is no configuration option to disable this — it is the default and the only mode. This means your password manager satisfies Article 25's 'by design' and 'by default' requirements at the infrastructure level, not through policy alone.

Related

Need full data residency on your own infrastructure?

Dedicated instance — your vault on an isolated server in your chosen region, managed by us. No shared tenancy. From £399/month.

Learn more

GDPR-friendly by architecture, not policy

Free to start — no credit card. DPA available at sealedkeys.com/dpa. Pro at £3.49/user/month.