Security you can
verify, not just trust
Everything a security or procurement team needs to evaluate SealedKeys — our certifications, data residency, sub-processors and the documents we can share — in one place.
In short
SealedKeys is a zero-knowledge secrets manager operated from the EU by Novastack Solutions Ltd, a UK company. It is UK Cyber Essentials certified, independently penetration-tested with zero exploitable findings, GDPR-aligned with EU data residency, and uses client-side AES-256-GCM encryption so its operators cannot read customer secrets. A DPA, penetration-test report and security-questionnaire support are available on request from security@sealedkeys.com.
Cyber Essentials certified
Independently verified against the UK NCSC baseline.
Independently pen-tested
42 test cases, zero exploitable findings (May 2026).
EU data residency
All data hosted in the EU (Hetzner, Germany).
Zero-knowledge
Secrets encrypted client-side; we can't read them.
GDPR-aligned
DPA available; UK/EU data protection regime.
UK incorporated
Novastack Solutions Ltd, England & Wales.
Certifications & independent assessments
Cyber Essentials Certified
Certified under the UK Government's Cyber Essentials scheme, independently verified against the NCSC baseline — firewalls, secure configuration, access control, malware protection and patch management.
Verify certificate →Independent penetration test
A full manual OWASP-aligned penetration test against the production application was completed in May 2026 — 42 test cases across authentication, session security, access control, injection and transport. Zero exploitable findings.
Download full report (PDF) →Data protection & residency
SealedKeys is operated by Novastack Solutions Ltd (company no. 16779485), incorporated in England & Wales. All application and database infrastructure is hosted in the EU. Because every secret is encrypted on your device before it reaches us, the data we hold is ciphertext — a database breach would expose no readable secrets.
- EU data residency by default — no opt-in or enterprise tier required
- GDPR-aligned processing; a Data Processing Agreement is available on request
- Customer secrets are never accessible to SealedKeys staff — there is no decryption back door
- Full data export and an offline decryption viewer mean you are never locked in
Sub-processors
The third parties that process data on our behalf. We notify customers of material changes to this list.
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Hetzner Online GmbH | Application hosting & database | Encrypted vault data, account records | Germany (EU) |
| Resend | Transactional email (invites, alerts) | Email address, display name | USA |
| Cloudflare | Authoritative DNS (DNS-only, no proxying of vault traffic) | DNS queries only — no account or vault data | Global |
| Have I Been Pwned | Breach monitoring lookups (only if enabled) | Account email (proactive) or partial password hash via k-anonymity (on-demand) | Cloudflare CDN |
Operational security
Request documents
Running a vendor review? Email security@sealedkeys.com and we'll turn these around quickly. Some items are shared under NDA where appropriate.
- Data Processing Agreement (DPA)
- Full penetration-test report
- Cyber Essentials certificate
- Completed security questionnaire (SIG / CAIQ / your format)
- Sub-processor list & transfer mechanisms
- Architecture & data-flow overview
Frequently asked questions
Where is SealedKeys data hosted?+
All application and database infrastructure runs in the EU, with Hetzner in Germany. TLS 1.3 protects data in transit, and all secret values are stored as AES-256-GCM ciphertext that is encrypted on your device before it reaches us. Cloudflare provides authoritative DNS only (DNS-only / grey-cloud) and does not proxy or terminate vault traffic.
Who can access our data?+
Nobody at SealedKeys can read your secrets. They are encrypted client-side with a key derived from your master password, which we never receive in usable form. Even with full database access, an operator sees only ciphertext, item names, URLs and tags. There is no support 'break-glass' that can decrypt a customer vault — by design, that capability does not exist.
Do you offer a Data Processing Agreement (DPA)?+
Yes. We can provide a DPA covering GDPR processing terms, our sub-processor list and international transfer mechanisms. Email security@sealedkeys.com and we'll send it over.
Can you complete our security questionnaire?+
Yes. Send your questionnaire (SIG, CAIQ, or your own format) to security@sealedkeys.com. We can also share our most recent independent penetration-test report and Cyber Essentials certificate under NDA where required.
Who are your sub-processors?+
Hetzner (EU hosting and database), Resend (transactional email), Cloudflare (authoritative DNS only), and — only if you enable breach monitoring — Have I Been Pwned for breach lookups. We notify customers of material changes to this list.
What happens to our data if SealedKeys shuts down?+
You can export your full vault as an encrypted file at any time, and a self-contained offline viewer lets you decrypt it with no account and no internet. We commit to publishing the full encryption specification and offline-viewer source publicly before any wind-down, so your data stays decryptable with open tools indefinitely.
Related
Evaluating SealedKeys for your team?
Start free, or get in touch and we'll support your security review.