Security

Security without absolute claims.

Supported secret content is encrypted by the client before upload. Shhhs stores and transfers ciphertext plus the operational metadata required to enforce access and lifecycle rules.

Client-side encryption

Supported secret content is encrypted by the client before upload. The service stores encrypted payloads and limited metadata needed to enforce TTL, view limits, recipient gates, billing, abuse control, and operational status.

  • Ciphertext storage
  • Client-held decryption material
  • Lifecycle metadata only

Links are still sensitive

Non-passphrase share links normally keep the key in the URL fragment, which browsers do not send to the server. A complete link is still sensitive because recipients, screenshots, browser history, extensions, or copy/paste tools may expose it.

  • Fragment key normally stays client-side
  • Complete links remain sensitive
  • Use opening codes or passphrases for stronger separation

Operational metadata

Shhhs may process timestamps, lifecycle state, payload type, size or size bucket, open counters, workspace or account references, abuse-control signals, and billing references. These records must not include plaintext, passphrases, full secret links, ciphertext bodies, or recovery codes.

  • Metadata-only audit
  • Metadata-only event notifications
  • No plaintext in support

Expiration and deletion

Secrets become unavailable by TTL, view count, manual burn, request reveal, room expiry, quota expiry, or scheduled cleanup. Scheduled deletion is designed to be prompt, but it is not an exact millisecond deletion clock.

  • TTL and view limits
  • Manual burn
  • Scheduled cleanup

What Shhhs does not protect against

No service can protect a secret after a recipient copies it or if an endpoint is compromised. Malware, browser extensions, screen capture, clipboard history, weak passphrases, and sending every factor through the same compromised channel remain outside Shhhs control.

  • Compromised devices
  • Recipient redistribution
  • Weak or shared gates

Responsible disclosure

Report security issues through the contact flow or security reporting channel when configured. Use test data only and never include live passwords, tokens, recovery codes, OTPs, passphrases, or full secret links.

  • Use test data
  • No live credentials
  • Coordinated remediation

FAQ

Can Shhhs recover lost secrets?

No. Secrets and lost access cannot be restored without weakening the privacy model.

Can support cancel billing?

Yes. Support can help with billing cancellation after validating Paddle billing details.

Are secrets processed by AI?

No. Secrets are not read, profiled, trained on, indexed, or retained for AI processing.

What does audit contain?

Audit and admin views contain metadata such as event type, timestamp, plan, and safe identifiers. They do not include plaintext, passphrases, full secret links, or full payloads.