Your secrets are encrypted on your device before they reach our servers. EU data residency on every plan. Zero-knowledge architecture that simplifies your GDPR obligations — not complicates them.
The architecture and features that matter for your compliance team.
Your encrypted vault is stored on Hetzner infrastructure in Germany. No data is transferred outside the EU. This applies to every plan — not just enterprise. No contractual gymnastics to keep your data in Europe.
GDPR requires a lawful basis for processing personal data. SealedKeys' zero-knowledge architecture means we store only AES-256-GCM ciphertext. We cannot read your secrets — we are not a controller of your secret data, only the encrypted form.
A GDPR-compliant DPA is available on request. Given the zero-knowledge model, SealedKeys' role as a data processor is minimal — but if your compliance team needs one, email hello@sealedkeys.com.
GDPR's accountability principle requires you to demonstrate control over personal data access. SealedKeys logs every view, copy, edit and deletion with timestamp, user and IP — ready for DPA audit requests or incident responses.
Right to erasure? Delete vault items immediately and they are gone — the ciphertext is removed from the database. No backups with your plaintext secrets exist on our servers because we never had the plaintext.
GDPR's right to data portability. Export your entire vault as an encrypted backup at any time — no support tickets, no hoops. The offline viewer decrypts it locally with no internet connection.
SealedKeys is designed with UK GDPR and EU GDPR in mind. Data is stored on EU infrastructure (Hetzner, Germany) and never transferred outside the EU. The zero-knowledge architecture means we process only encrypted ciphertext — the lawful basis and data minimisation obligations are simplified because we cannot access your secrets. A Data Processing Agreement is available on request.
All data is stored on Hetzner servers in Germany (EU). No data is transferred to the US or any third countries. TLS 1.3 protects data in transit. At rest, secrets are stored as AES-256-GCM ciphertext only — never plaintext.
Yes. Email hello@sealedkeys.com to request a DPA. Given the zero-knowledge model, our role as a data processor is limited — we cannot read the personal data your team stores in the vault. The DPA documents this relationship clearly.
GDPR requires a lawful basis for processing personal data and mandates data minimisation. SealedKeys' zero-knowledge architecture means the server stores only ciphertext we cannot decrypt. This simplifies your GDPR obligations: we are not a controller of your secret data, only an encrypted storage layer.
Yes. Export your full vault at any time from Settings → Export. Two formats: encrypted backup (recommended) and plaintext JSON. No support ticket required. The offline viewer decrypts the encrypted backup locally with no internet connection — your data is genuinely portable.
You can export your vault at any time before cancelling. After account deletion, vault data is permanently deleted from the database within 30 days. Because we store only ciphertext, there is no plaintext data to recover or retain.
25 items free. Pro at £3.49/user/month. DPA available on request.