SecurSSH is an EU-hosted team SSH access platform built on AES-GCM end-to-end encryption, PBKDF2 100k client-side key derivation, GDPR right-to-erasure, and a 24-month audit log on the Team plan. This page documents what we ship today - and, with equal honesty, what we don't.
Vault confidentiality does not depend on the SecurSSH operations team being trustworthy. Every secret is encrypted on the operator's device with a key the server never sees. Compromise of our infrastructure exposes ciphertext, not credentials.
Every credential, host record and snippet inside your vault is encrypted client-side with AES-GCM. The SecurSSH server stores ciphertext only - your master password and derived keys never leave your device, so server operators see nothing but opaque blobs.
Your master password is stretched through PBKDF2 with 100,000 iterations on your device, producing the encryption key that protects the vault. After unlock, biometrics (Touch ID, Face ID, Windows Hello) cache the unwrap locally - never the password itself.
Team vaults use a shared content key that is wrapped individually for each member with their own derived key. Adding or removing a teammate re-wraps access without re-encrypting content. The server remains blind to the unwrapped key at all times.
SecurSSH operates entirely inside the European Economic Area. Vault data, audit records, backups and account metadata stay within EU jurisdiction, processed by an EU-headquartered provider on EU-located infrastructure.
All vault data, audit records and account metadata are stored and processed in the European Union. Your vault content is end-to-end encrypted and stored in the European Union.
The native application is signed and notarised on macOS; Windows code-signing is in progress. Auto-updates verify signatures before installation, so the binary running on operator workstations is provably the one published by SecurSSH.
Hosting runs on an EU-headquartered cloud provider, with infrastructure located in the European Union. Backups remain inside the same jurisdiction and are encrypted at rest.
Your vault content is end-to-end encrypted and stored in the European Union, keeping EU customers under a single, predictable legal regime.
Compliance is treated as engineering, not paperwork bolted on after the fact. Data minimisation, right to erasure and accountable processing are wired into the product's behaviour, with formal documentation following the same path.
Account holders trigger a one-click deletion that removes profile data, vault content and team membership records. GDPR Article 17 is honoured by design, not by ticket.
A Data Processing Agreement is available on request for Team and Enterprise customers, listing retention windows and security measures aligned with Article 28.
A formal Article 30 processing register is being finalised in 2026. The DPA already documents the substance; the register will publish a stable, versioned reference.
For regulated industries we collaborate with the customer Data Protection Officer to map data flows, document legal bases and prepare DPIA inputs.
Every sensitive change inside a team workspace is recorded in an audit log. Team plans retain 24 months of history; Enterprise contracts retain it indefinitely. Records are queryable from the team console without engineering involvement.
Authorisation is layered. Role-based access governs who can see and change what; vault locking governs how a credential leaves rest. Both are enforced at the boundary, not delegated to the operating system.
Admin, member and viewer roles are enforced both client-side and server-side. Viewers can connect without holding write rights on credentials; admins manage membership and audit access.
Touch ID, Face ID and Windows Hello unlock a locally-cached key, not the master password. Biometric data never leaves the secure enclave on the device.
Operators choose the inactivity window after which the vault re-locks. Subsequent access requires biometrics or master password again - no silent persistence.
Separate vaults per project, customer or environment limit blast radius. Membership is granted per vault, so a contractor can reach one engagement without seeing the rest.
Transparency matters more than a longer feature list. The items below are not yet available and must not be assumed shipped today. CTOs and CISOs validating SecurSSH should weigh them against current internal requirements.
Coordinated disclosure is welcome. Email security@securssh.com with technical detail and a reproduction path. We acknowledge receipt within one business day and engage in good faith with researchers operating under our vulnerability disclosure policy.
Vault content is encrypted client-side using AES-GCM with a key derived from your master password through PBKDF2 with 100,000 iterations. The server only ever stores ciphertext and never receives your master password or derived encryption key.
Nobody. Because key derivation happens on your device and the server is blind to plaintext, SecurSSH staff cannot decrypt vault content. For team vaults, the team key is wrapped per member, so only invited members can unwrap it.
Your vault content is end-to-end encrypted and stored in the European Union.
An attacker who reached the database would only obtain ciphertext. Without your master password, AES-GCM vault content remains unreadable. We would notify customers under GDPR Article 33 within 72 hours of confirmed breach.
Walk through the architecture with our security engineers, request a DPA, or explore the full feature set.