Credentials sprawl across clients
Spreadsheets, shared notes, "the one the senior tech remembers." Every client added multiplies the surface area you can't see.
Zero-knowledge · Multi-tenant · For MSPs
Sealed end-to-end.
Sealed end-to-end.
Owned by your organisation.
Zero-knowledge password management built for MSPs and the clients they manage. Your master password never leaves your device — the server is blind by design.
.app domain — HTTPS is enforced by the browser, not just promised.
The MSP problem
One business managing fifty businesses' secrets.
Managed Service Providers hold the keys to every client they support — router logins, domain registrars, VPN credentials, admin accounts. Consumer password managers force you into fifty separate organisations, fifty separate bills, and fifty separate logins. That isn't a vault. That's a liability.
Sharing is a security incident waiting
Pasting a client admin password into chat is how breaches start. You need to seal a secret to one person, not broadcast it.
Offboarding leaves the door open
A tech leaves; which of forty client vaults did they have? Without per-tenant membership and an audit trail, you're guessing.
Billing the client base is manual
Rolling up seats across dozens of managed tenants into one defensible invoice shouldn't take a finance spreadsheet of its own.
The differentiator
A tenancy model that matches how MSPs actually work.
Three real levels of nesting in a single tenant model — plus a private vault for every user. Proton Pass, Bitwarden, 1Password and LastPass top out at one or two. This is the difference between bolting an MSP onto a consumer tool and building for the MSP from the schema up.
Platform
SealedVault
Operates the service. Architecturally cannot decrypt your vaults.
Subscriber
The MSP — e.g. Velocity Technology
One account. One invoice. Many managed clients.
Sub-tenant
Client A
Sub-tenant
Client B
Sub-tenant
Client C…
User
Technician
+ personal vault
User
Client staff
+ personal vault
User
Admin
+ personal vault
Every user also gets one personal vault, scoped to their parent tenant. Users are global and canonical by email — never duplicated, never leaked across tenants.
Security architecture
Your master password never leaves your device.
Authentication uses SRP-6a (RFC 5054): the server proves you know your password without ever seeing it — not even over TLS. There is no password to steal in a server breach, because we never receive one.
The key hierarchy
- Master password Argon2id · ≥1 GiB · 16-byte salt
- Master key (RAM only — never stored, never sent) HKDF-SHA256, domain-separated
- Vault key + auth key wraps per-item keys
- Per-item keys XChaCha20-Poly1305 AEAD
- Your secret, sealed
Why we're called Sealed
Sharing uses libsodium's crypto_box_seal — an X25519 sealed box. We literally seal a secret to the recipient's public key. Only their private key, which never leaves their device, can open it. The server moves an opaque envelope it can't read.
Server-blind by construction
The platform stores ciphertext, public keys and SRP verifiers. It holds no master keys, no plaintext, no recovery backdoor. A launch-blocking test proves even the platform operator cannot chain endpoints to decrypt a vault item.
Hardware-backed on mobile
Keys are bound to the iOS Secure Enclave and the Android StrongBox keystore, gated by biometrics. A stolen, locked device is a brick — not a breach.
Conservative, audited primitives
libsodium only — no OpenPGP packet parser, no legacy ciphers. Argon2id beats bcrypt against GPUs. Ed25519 signatures over JCS-canonicalised payloads. ≥100 cross-language test vectors per primitive, CI-gated.
Features
Enterprise IAM, not a consumer vault with extra seats.
Vaults & collections
Group credentials into collections with read / write / manage roles and an inherit-to-children flag. Admin-only hard caps enforce policy that consumer tools can't model.
Cross-tenant sharing
Seal a credential from the MSP straight into a client's vault — an explicit, audited grant. Never a default share. The first-class workflow rivals can't express.
Tamper-evident audit log
Every action recorded in an HMAC-chained audit trail with multi-year retention and hourly export to write-once storage. Know exactly who touched what, when.
Itemised MSP billing
One Stripe invoice to the MSP, a line per managed tenant. Card data never touches our servers — Stripe Elements, PCI SAQ-A scope.
MFA & SSO
TOTP enforced for every user; SAML and OIDC SSO (Entra, Google Workspace, generic) at launch. WebAuthn / FIDO2 hardware keys on the v1.1 track.
Real-time sync
Changes propagate instantly across devices over an encrypted WebSocket channel, with APNs and FCM push for mobile.
Apps everywhere
Web SPA, MV3 browser extension, native iOS and native Android — sharing one conservative libsodium crypto core across every platform.
How we compare
Fair, conservative, and honest about where we are.
Competitor rows reflect their published documentation; where a vendor doesn't state something, we don't guess. Our cryptographic stack is at least as strong as Proton Pass's — our real edge is the MSP model.
| Capability | SealedVault | Proton Pass | Bitwarden | 1Password | LastPass |
|---|---|---|---|---|---|
| Multi-tenant MSP hierarchy (3-level) | ✓ | ✗ | ✗ | ✗ | ✗ |
| Cross-tenant credential sharing | ✓ | ✗ | ✗ | ✗ | ✗ |
| KDF resistant to GPU cracking (Argon2id) | ✓ Argon2id | ~ bcrypt | ~ PBKDF2 / Argon2id | ~ PBKDF2 + Secret Key | ~ PBKDF2 |
| Sharing via X25519 sealed box | ✓ | ~ OpenPGP / Curve25519 | ~ RSA-wrapped | ~ | ~ |
| Itemised per-tenant MSP billing | ✓ | ✗ | ✗ | ✗ | ✗ |
| Zero-knowledge / end-to-end encryption | ✓ | ✓ | ✓ | ✓ | ✓ |
| Open-source clients | ~ v1 closed; review committed | ✓ | ✓ | ✗ | ✗ |
✓ yes · ~ partial / differs · ✗ not offered. SealedVault v1 ships closed-source with an independent cryptographer review and code audit committed — not yet completed. We won't claim "audited" before it's true.
Pricing
Priced for MSP volume. Free to start.
Undercuts Bitwarden, 1Password and LastPass at the corporate tier. No card to try.
Free
$0forever
1 user. Built so a solo tech can run a real, sealed vault at zero cost — permanently.
- Full zero-knowledge crypto
- All item types & collections
- Web, extension & mobile apps
Managed
$3/user/mo · first tenant
then $2 / user / mo for each additional managed tenant
- Multi-tenant hierarchy & cross-tenant sharing
- One itemised invoice across all clients
- Audit log, SSO, MFA, real-time sync
- Recovery-admin role with abuse protections
Trial
90days free
Up to 10 users, every feature, no card required. Run a real pilot before you commit a dollar.
- Up to 10 users
- All paid features unlocked
- Migrate to Managed anytime
Compliance posture, stated honestly
GDPRAt launch
CCPAAt launch
SOC 2 Type 1Within 12 months
HIPAABAA on request
PCISAQ-A (Stripe)
FAQ
Questions, answered straight.
What does "zero-knowledge" actually mean here?
It means we cannot read your secrets — not by policy, by mathematics. Your vault is encrypted on your device with keys derived from a master password we never receive. Authentication uses SRP-6a, so the server verifies you without ever seeing the password. We store ciphertext and public keys; the plaintext only exists in your device's memory after you unlock.
What happens if I forget my master password?
Because we never hold your master password or your keys, we can't reset it for you — that's the cost of true zero-knowledge, and it's deliberate. For organisations, an opt-in recovery-admin role can re-seal a user's vault via consented sealed-box re-wrap, protected by a 24-hour canary delay, rate limits, a recorded consent row, and no self-recovery. A user-held recovery phrase is on the roadmap. We will never add a silent backdoor.
How does MSP billing work?
You hold one Subscriber account and manage as many client sub-tenants as you need. Billing rolls up into a single Stripe invoice with one line per managed tenant: $3 / user / month for your first tenant, $2 / user / month for each additional managed tenant. Card data is handled by Stripe Elements and never touches our servers, keeping you in PCI SAQ-A scope.
Is SealedVault audited?
Not yet — and we won't pretend otherwise. v1 ships closed-source with an independent cryptographer review and external code audit committed and budgeted, not completed. Our primitives are deliberately conservative (libsodium: Argon2id, XChaCha20-Poly1305, X25519, Ed25519, SRP-6a) with ≥100 cross-language test vectors per primitive gated in CI. When the audit is done, we'll publish it; until then we say "review committed," not "audited."
Which platforms are supported?
A web SPA, an MV3 browser extension, native iOS (Secure Enclave), and native Android (StrongBox keystore), with real-time sync across all of them. Every client shares one audited libsodium crypto core, so the security guarantees are identical wherever you unlock.
Why the .app domain?
.app is on the HSTS preload list, so browsers refuse to load it over plain HTTP — HTTPS is enforced by the browser itself, not merely promised by us. For a password manager, that's a meaningful baseline security signal before you even sign in.
Seal your organisation's secrets.
Start free with one user, forever — or run a 90-day, 10-user pilot with no card. When you're ready to manage clients, we'll be ready too.