As a service that provides secure encryption as a service, we take the security of your data very seriously.

This page explains procedures for reporting security issues to ShareSecret. Additionally, it provides details on our security practices.

Reporting Vulnerabilities

In the event that you discover a security vulnerability in ShareSecret, we request that you send an email to

Security Practices

  1. All network traffic to the website is done over SSL.
  2. User secret data is saved encrypted in our database using industry-standard AES 256 bit encryption with a unique randomly-generated encryption key, generated for each secret.
  3. The encryption key is not stored anywhere in our system or on our servers, including logs. The only people with access to the key is the person who created the secret and anyone with whom the creator shared the secret. If the encryption key is lost, the secret is lost.
  4. ShareSecret has no way to access or recover an encrypted secret, because we don’t store the encryption keys.
  5. Secret data is always encrypted at-rest in our database.
  6. By default, Secrets expire and are wiped from our system after 24 hours, or after they’re accessed by the recipient — whichever happens first.
  7. The 24 hour / 1 access rule is just the default. Secrets can be configured to have a maximum expiration of 7 days, and an arbitrary number of accesses before they’re evicted from ShareSecret permanently.
  8. All backend services that power the ShareSecret service are only accessed via SSL connections.

Questions, Comments, etc.

For any other non-security related questions or comments, please contact us at, or via the support page.