Scene 0 · 3:14 AM

The breach
that didn't happen.

A leaked private key. A bastion misconfigured by a contractor who left in 2024. An hour from waking up the CTO. None of it gets through because the vault, the audit log and the RBAC were doing their job while you slept.

intrusion blocked · 03:14:07
Security

Your keys.
Your keychain.
Our paranoia.

SSH Connects never sees your private keys. They live in the OS keychain on desktop, AES-256 sealed at rest, and never travel over our pipes.

SOC 2 Type II GDPR HIPAA ready ISO 27001 SAML 2.0 OIDC SCIM 2.0

Four pillars.

Every SSH Connects deployment, every customer. One plan, all four pillars.

🔐

Encryption everywhere

AES-256-GCM at rest. TLS 1.3 in transit. Per-vault tenant keys, rotated quarterly.

🪪

Identity by SSO

SAML 2.0, OIDC, SCIM 2.0. Bring your own IdP. Map IdP groups → host groups.

🗂️

Audit by default

Every connection, every command, exportable to CSV/SIEM. Tamper-evident.

🛡️

Zero-trust posture

Just-in-time access, per-host RBAC, ephemeral certs (beta), no shared accounts.

Where your keys live

On your machine.
Never on ours.

On desktop, private keys are sealed by your OS keychain (macOS Keychain · Windows Credential Manager · libsecret on Linux). On the cloud portal, only encrypted blobs are stored — and the decryption keys never leave your devices.

  • Private key material never leaves your machine

    encrypt in place, decrypt in memory only

  • Cloud sync stores ciphertext only

    envelope-encrypted with per-device E2E keys

  • You can self-host

    single binary, Postgres backed, your VPC, your keys

VAULT SEALED

Compliance, in plain English.

Talk to your security team. We already speak their language.

ATTESTED

SOC 2 Type II

Annual audit. Reports on request.

ATTESTED

GDPR

DPA on file. EU data residency.

ATTESTED

HIPAA ready

BAA included · just ask.

ATTESTED

ISO 27001

In progress · target H2 2026.

ATTESTED

PCI-DSS

Sub-processor framework.

ATTESTED

CCPA

Right-to-delete in 30 days.

ATTESTED

Pentest

Quarterly · 3rd-party.

ATTESTED

Bug bounty

Public program live.

data flow · simplified

[Your laptop]→ derive key from OS keychain
encrypt private blob (AES-256-GCM)
[SSH Connects.app]→ upload ciphertext only
TLS 1.3 · pinned cert
[Cloud · your tenant]→ store envelope
KMS-wrapped at rest
[Teammate's laptop]→ pull, decrypt locally
SSH Connects.app cannot decrypt your vault. Ever.
Architecture

End-to-end. Literally.

Even if our database leaks, your keys remain useless. Decryption keys are derived per-device and never transmitted. Sub-processors are audited annually and listed publicly.

Whitepaper (PDF) Request SOC 2 →
Scene · the audit stamp

Your security team's favorite vendor.

Send your CISO the report. Send your auditor the BAA. Send legal the DPA. We've already filed the answers to every questionnaire you'll ever fill out.

SOC 2 report (PDF)

3.4 MB · request access

Trust Center

live posture · live tests

Free for individuals · Fair for teams

Stop fighting
your terminal.

Download SSH Connects and feel the difference in five minutes. No credit card. No commitment.

Download for free See pricing
Windows, macOS, Linux Web app included Open standards SOC 2 Type II