Organised by the question they will ask. Share the whole page or link directly to the section that matches their concern.
How do I know it's actually zero-knowledge?
The encryption spec is public and open-source. Your vault key is derived from your master password inside your browser (PBKDF2-SHA256, 600,000 iterations) and never leaves your device. Every secret is AES-256-GCM encrypted before it touches the network. The server stores only ciphertext — even with full database access, an operator sees nothing readable.
Has it been tested by a third party?
Yes. An independent OWASP-aligned penetration test was completed in May 2026 — 42 test cases across authentication, session security, access control, injection and transport. Zero exploitable findings. The full report is downloadable below.
What's the encryption stack in detail?
AES-256-GCM for secret data (client-side). PBKDF2-SHA256 with 600k iterations for key derivation. bcrypt (cost 12) for master password auth hash server-side. TLS 1.3 in transit. Nonce-based CSP against XSS. Keys are non-extractable Web Crypto API objects — the browser will not export them.
Are you Cyber Essentials certified?
Yes. SealedKeys is certified under the UK Government's Cyber Essentials scheme, independently verified against the NCSC baseline — firewalls, secure configuration, access control, malware protection and patch management. The certificate is publicly verifiable on the Blockmarktech registry.
Is it GDPR compliant? Where is data stored?
All infrastructure runs in the EU (Hetzner, Germany). We are operated by a UK-incorporated company (Novastack Solutions Ltd) under the UK GDPR regime. A Data Processing Agreement (DPA) is available — and because every secret is encrypted client-side, even a full database breach exposes no readable secrets.
Can you complete our security questionnaire or vendor review?
Yes. Email security@sealedkeys.com with a SIG, CAIQ or your own format and we will return it promptly. We can also share the penetration test report and Cyber Essentials certificate under NDA where required.
How does it compare to LastPass / Bitwarden / 1Password?
Most password managers either encrypt on the server or provide an operator recovery path — neither is zero-knowledge. SealedKeys does neither by design. Side-by-side comparisons cover architecture, pricing, team features, and UK compliance posture.
What happens to our data if SealedKeys shuts down?
You own your data. Full vault export to an encrypted file is available at any time from Settings. A self-contained offline viewer lets you decrypt it with no account, no internet, and no dependency on SealedKeys. We commit to publishing the full encryption specification publicly before any wind-down.
What does it cost? Are there minimums or long-term contracts?
Free tier with no time limit. Pro is £3.49/user/month or £34.90/user/year (save 17%). No per-organisation minimums, no seat floors. Cancel or downgrade anytime — no lock-in, no exit fees.
Penetration test report
Full OWASP-aligned report, May 2026. 42 tests, zero exploitable findings.
Data Processing Agreement
Article 28 GDPR DPA. Sub-processors, security measures, breach notification.
Trust & compliance overview
Certifications, sub-processors, security practices and request-documents form.
Full sales manual
11-chapter guide covering features, objections, deployment, pricing and more.
Running a vendor review or procurement process? We can turn around completed questionnaires, arrange a technical call, or provide bespoke documentation. Most requests are handled same-day.
Start free — full vault live in under 60 seconds. No card, no time limit.