Deniability infrastructure,
on your terms.

The Operate pillar of deny.sh, deployed where regulators and your security team want it. Three paths: take a commercial licence to self-host the application layer inside your own product, run a private deny.sh deployment on dedicated infrastructure, or both. One conversation. Custom scope, from $25K/year.

Talk to our team Download security posture
🛡 Open Source · Auditable 📜 Apache 2.0 SDK 99.9% SLA Available 🏢 On-Premise Deployment

Built for regulated infrastructure

deny.sh solves the leak problem that existing encryption ignores. When ciphertext leaks (via cloud breach, insider exfiltration, or operational compromise), deniable encryption ensures the bytes resolve to a convincing decoy. The real secret stays separated and never appears in the breach.

Crypto Custody

Protect client seed phrases with plausible deniability. Multi-sig backup protection for cold storage workflows. If keys are compromised, attackers see decoy wallets with convincing balances. Real assets stay hidden.

Exchange Security

Encrypt operational keys so even insider threats see convincing fake credentials. Supports hot wallet key rotation and compartmentalised access. Mitigate insider threat vectors without changing your key management architecture.

Security Products

Embed deny.sh into your security product. The SDK is 8.4KB with zero runtime dependencies. One function call to integrate. Apache 2.0, no copyleft, no legal review, no commercial licence required for SDK integration.

Compliance

Full audit trail with IP address, timestamp, and action type logged for every API operation. Geographic deployment options and compliance documentation for regulated industries.

How it works for enterprise

Three steps from evaluation to production. No drawn-out procurement cycles.

1

Architecture review

We review your stack and recommend integration points. Identify where deniable encryption fits: key management, backup pipelines, cold storage workflows.

2

Licensed deployment

Dedicated or embedded, with commercial license. Deploy on your infrastructure or ours. Multi-language SDKs for native integration into your existing systems.

3

Ongoing support

Priority engineering support, SLA, security updates. Direct access to the team that built it, not a help desk.

Technical specifications

Open source, independently verifiable, built for integration.

Algorithm

AES-256-CTR encryption, scrypt KDF (N=16384, r=8, p=1), XOR composition layer, 4-byte length prefix inside encrypted zone. Every parameter is auditable.

SDK

TypeScript/Node.js (published on npm as deny-sh), Python, Go, Rust. 8.4KB total, zero runtime dependencies.

API

RESTful with OpenAPI 3.0 spec. Full documentation at /docs.

Verification

22 automated cryptographic tests run in-browser. Chi-squared, Kolmogorov-Smirnov, entropy analysis, serial correlation. Run them yourself →

Source code

Open source on GitHub: the SDK is Apache 2.0 (free for proprietary embedding), the application layer is AGPL-3.0. Self-hosting application-layer code in a proprietary product needs the commercial licence at /licensing. Full source review available under NDA.

Zero knowledge architecture

Browser tools run entirely client-side. API processes in memory only. No plaintext logging, no key storage, no payload persistence.

Compliance & certifications

Honest status. Where we are today, and what's on the roadmap.

Cyber Essentials

Certified 15 May 2026, valid through 15 May 2027. Issued by the IASME Consortium (UK government-appointed accreditation body) and recorded on the BlockMark Registry. Covers boundary firewalls, secure configuration, user access control, malware protection, and security update management. Verify on BlockMark.

GDPR

Fully compliant. Data controller registered in UK. Privacy policy covers all processing. Data deletion on request within 7 days.

Security posture

Architecture designed with SOC 2 principles. Hash-only key storage, full audit logging, encrypted at rest. Independent cryptographic audit on the roadmap; firm and scope will be announced once engaged.

ISO 27001

Security controls mapped to ISO 27001 Annex A. Documentation available for enterprise customers.

PCI DSS

No payment card data processed directly. Stripe handles all billing under their own PCI DSS Level 1 certification.

Export controls

Encryption software. Customers are responsible for compliance with local export laws. UK OGEL covers most commercial use.

Independent audit

Cryptographic implementation review by an independent third-party security firm is on the roadmap. Firm and scope will be announced once engaged. Reach out to hello@deny.sh for current status. Today's verification: 22 automated tests covering statistical indistinguishability, ciphertext invariance, and correctness, runnable in-browser at /verify.

Procurement & legal documents

Draft documents available for procurement and security review. Each is being prepared for execution and is not yet legally binding. Contact hello@deny.sh for executable counterparts.

Data Processing Agreement

UK GDPR Article 28 DPA covering instructions, security, sub-processors, breach notification, deletion, and audit rights. Annex 2 lists current sub-processors with locations and transfer mechanisms. View draft DPA.

Service Level Agreement

99.9% monthly uptime for paid Business and Enterprise. Severity tiers, response and restoration commitments, sliding-scale service credits to 100% MRR, scheduled-maintenance and force-majeure exclusions. View draft SLA.

Master Services Agreement Addendum

Liability terms for executed Enterprise contracts. 1x ACV standard cap, 2x ACV elevated cap for breach of confidentiality, security, IP indemnity, and wilful misconduct. Worked examples and order of precedence included. View draft MSA Addendum.

Custom, from $25,000/year.

Scoped to your deployment, not per-seat. One commercial agreement covers whichever combination you need: self-hosting the application layer in your own product, a private deny.sh deployment on dedicated infrastructure, or both. We scope, you decide.

Self-host the application layer
From $25K
/year
  • Commercial licence for the application-layer source (vault, dead-man's switch, MCP orchestration, hosted-API server) without AGPL-3.0 obligations
  • Embed in your proprietary product
  • Multi-language SDK access (Apache 2.0, free for everyone)
  • Priority support and architecture review
  • White-label and multi-product rights available at higher tiers
Talk to us
Private deployment
Custom
your infra, your SLA
  • Your own deny.sh instance on dedicated infrastructure
  • Custom SLA and uptime guarantees
  • Geographic deployment options (UK, EU, US, on-premise)
  • DPA, SLA, and MSA Addendum executable
  • Full API audit trail and compliance documentation
Talk to us

Looking at per-seat licensing for a wallet or hardware product instead? See partnerships.

Talk to our team

Describe your use case. We'll scope the license, infrastructure, and integration within 24 hours.

Looking for individual or team pricing? See standard plans.

Registered in England and Wales