SecurSSH is an EU-hosted team SSH access platform built on AES-GCM end-to-end encryption, PBKDF2 100k client-side key derivation, GDPR right-to-erasure, and a 24-month audit log on the Team plan. This page documents what we ship today - and, with equal honesty, what we don't.
Vault confidentiality does not depend on the SecurSSH operations team being trustworthy. Every secret is encrypted on the operator's device with a key the server never sees. Compromise of our infrastructure exposes ciphertext, not credentials.
Every credential, host record and snippet inside your vault is encrypted client-side with AES-GCM. The SecurSSH server stores ciphertext only - your master password and derived keys never leave your device, so server operators see nothing but opaque blobs.
Your master password is stretched through PBKDF2 with 100,000 iterations on your device, producing the encryption key that protects the vault. After unlock, biometrics (Touch ID, Face ID, Windows Hello) cache the unwrap locally - never the password itself.
Team vaults use a shared content key that is wrapped individually for each member with their own derived key. Adding or removing a teammate re-wraps access without re-encrypting content. The server remains blind to the unwrapped key at all times.
SecurSSH operates entirely inside the European Economic Area. Vault data, audit records, backups and account metadata stay within EU jurisdiction, processed by an EU-headquartered provider on EU-located infrastructure.
All vault data, audit records and account metadata are stored and processed exclusively on European Union infrastructure. There is no replication to the United States and no sub-processor operating outside the EEA.
Native applications for macOS, Windows and Linux are code-signed and notarised. Auto-updates verify signatures before installation, so the binary running on operator workstations is provably the one published by SecurSSH.
Hosting runs on an EU-headquartered cloud provider with data centres in Frankfurt and Amsterdam. Backups remain inside the same jurisdiction and are encrypted at rest.
Because no personal data crosses to the United States, the legal uncertainty introduced by the SCHREMS II ruling against US transfers does not apply. EU customers stay under a single, predictable legal regime.
Compliance is treated as engineering, not paperwork bolted on after the fact. Data minimisation, right to erasure and accountable processing are wired into the product's behaviour, with formal documentation following the same path.
Account holders trigger a one-click deletion that removes profile data, vault content and team membership records. GDPR Article 17 is honoured by design, not by ticket.
Team and Enterprise customers receive a signed Data Processing Agreement on request, listing sub-processors, retention windows and security measures aligned with Article 28.
A formal Article 30 processing register is being finalised in 2026. The DPA already documents the substance; the register will publish a stable, versioned reference.
For regulated industries we collaborate with the customer Data Protection Officer to map data flows, document legal bases and prepare DPIA inputs.
Every sensitive change inside a team workspace is recorded in an audit log. Team plans retain 24 months of history; Enterprise contracts retain it indefinitely. Records are queryable from the team console without engineering involvement.
Authorisation is layered. Role-based access governs who can see and change what; vault locking governs how a credential leaves rest. Both are enforced at the boundary, not delegated to the operating system.
Admin, member and viewer roles are enforced both client-side and server-side. Viewers can connect without holding write rights on credentials; admins manage membership and audit access.
Touch ID, Face ID and Windows Hello unlock a locally-cached key, not the master password. Biometric data never leaves the secure enclave on the device.
Operators choose the inactivity window after which the vault re-locks. Subsequent access requires biometrics or master password again - no silent persistence.
Separate vaults per project, customer or environment limit blast radius. Membership is granted per vault, so a contractor can reach one engagement without seeing the rest.
Transparency matters more than a longer feature list. The items below are on the 2026 roadmap and must not be assumed available today. CTOs and CISOs validating SecurSSH should weigh them against current internal requirements.
| Capability | Target |
|---|---|
| Account 2FA TOTP | Q3 2026 |
| SOC 2 Type II audit | H2 2026 |
| SSO SAML | Q4 2026 |
| FIDO2 / hardware keys | TBD 2026 |
| SSH certificates / CA signing | TBD 2026 |
| Async session recording | 2026 |
| IP whitelisting | TBD 2026 |
| Mobile apps (iOS / Android) | TBD 2026+ |
Coordinated disclosure is welcome. Email security@securssh.com with technical detail and a reproduction path. We acknowledge receipt within one business day and engage in good faith with researchers operating under our vulnerability disclosure policy.
Read the vulnerability disclosure policyVault content is encrypted client-side using AES-GCM with a key derived from your master password through PBKDF2 with 100,000 iterations. The server only ever stores ciphertext and never receives your master password or derived encryption key.
Nobody. Because key derivation happens on your device and the server is blind to plaintext, SecurSSH staff cannot decrypt vault content. For team vaults, the team key is wrapped per member, so only invited members can unwrap it.
All data is processed and stored exclusively in the European Union, on EU-based infrastructure. There is no US transfer of personal data, which removes the SCHREMS II exposure that affects most US-headquartered SSH tools.
An attacker who reached the database would only obtain ciphertext. Without your master password, AES-GCM vault content remains unreadable. We would notify customers under GDPR Article 33 within 72 hours of confirmed breach.
Walk through the architecture with our security engineers, request a signed DPA, or read the full product roadmap covering shipped features, partial deliveries and future work.