Breadcrumbs

Enpass Hub

Enpass Hub is a server component hosted on Enpass infrastructure that enables enterprise collaboration and administrative features for Enpass Business. It acts as a secure PKI directory and metadata repository, enabling the following features without ever storing your actual vault data or having any ability to decrypt it.

  • Vault Sharing — Allows teams to share vaults seamlessly without manually exchanging vault keys. The vault key is encrypted with the recipient's public key and stored on Enpass Hub, ensuring only the intended recipient can decrypt and access the shared vault.

  • Access Recovery — Enables users to reset their master password in a privacy-preserving and cryptographically secure manner. Vault keys are encrypted with an organization-wide recovery public key and stored on Enpass Hub; a recovery admin must authorize any recovery request before a reset link is issued.

  • Security Audit — Provides admins with aggregated, privacy-preserving password health reports across the organization via the Admin Console, covering weak, duplicate, compromised, and 2FA-eligible accounts, without exposing any vault contents.

  • Event Logs — Gives admins a detailed audit trail of user activity across key areas including accounts, vaults, password recovery, and sharing events.

Where does Enpass Hub fit in the overall architecture? Enpass Hub is one component of Enpass's distributed architecture, which is designed to ensure data sovereignty without requiring organizations to self-host complex infrastructure. For a complete picture of how vaults, business cloud storage, and Enpass infrastructure work together, see the Data Sovereignty and Distributed Architecture .

What Data Is Stored on Enpass Hub

Enpass Hub stores three categories of data: vault and user metadata (such as vault names and user device information), encrypted cryptographic material (such as encrypted vault keys and public keys used for sharing and recovery), and aggregated security audit statistics. > Enpass Hub never stores vault contents, plaintext credentials, or cloud storage access tokens (such as Microsoft 365 or Google Workspace tokens). Every vault key held on Enpass Hub is encrypted on the client before it is transmitted, meaning Enpass Hub holds only ciphertext it cannot read or use.

User & Device Information

  • Name and email address

  • Device name, identifier, operating system type and version, language, country, and IP address

Vault Metadata

  • Vault name

  • Path to vault on business cloud storage (OneDrive, SharePoint, or Google Drive)

Access Recovery Data

  • Recovery public keys

  • Recovery private keys (encrypted)

  • Vault keys (encrypted)

Vault Sharing Data

  • Shared vault key (encrypted)

  • Share-group public key

  • Share-group private keys (encrypted)

  • Vault summary data (for display in sharing flows)

Event Log Data

Each event log entry stored on Enpass Hub captures the following fields:

  • Timestamp of the event

  • Actor (the user or system that performed the action)

  • Component (Enpass App, Enpass Hub, or Enpass Admin Console)

  • IP address from which the action was performed

  • Activity description

Security Audit Statistics

Aggregate, anonymized health metrics only — no vault contents are ever read or accessible:

  • Master password strength indicators

  • Count of total, weak, duplicate, and compromised passwords per vault

  • Count of accounts exposed in known breaches

  • Count of accounts eligible for 2FA

  • Number of attachments per vault

Security: Zero Knowledge & Data Sovereignty Preserved

Although Enpass Hub is hosted on Enpass servers, it is designed so that Enpass — as a company — has zero knowledge of your vault contents and zero ability to decrypt your data. This is achieved through several architectural guarantees:

Vault data never touches Enpass infrastructure. Encrypted vault files remain exclusively in your organization's chosen cloud storage — OneDrive, SharePoint, or Google Drive. Even a complete compromise of Enpass Hub would not expose vault contents, because they are simply not present.

All encryption and decryption happen on the client. No cryptographic operations are performed on Enpass Hub. Enpass Hub is a repository for encrypted blobs; it never sees plaintext keys or vault data.

Vault keys are encrypted before they reach Enpass Hub. Keys stored on Enpass Hub for sharing or recovery are protected with RSA-3072 asymmetric encryption (with OAEP padding). They can only be decrypted by the intended recipient's private key, which never leaves the user's own vault.

Data sovereignty is preserved. The separation of vault data (your environment) from vault keys and metadata (Enpass Hub) means your organization retains sovereign control of credentials. Possession of Enpass Hub data alone is cryptographically insufficient to access any vault.

For full technical detail on Enpass Hub authentication flows, key generation, key storage, and cryptographic primitives, see the Enpass Security Whitepaper.

Compliance

Enpass operates Enpass Hub within a governance framework that meets internationally recognized security and privacy standards. Organizations subject to regulatory requirements can rely on the following certifications and audits:

Standard

Scope

ISO/IEC 27001:2022

Information Security Management System covering Enpass operational infrastructure

ISO/IEC 27701

Privacy Information Management System; extends ISO 27001 with certified privacy governance

SOC 2 Type II

All five Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy); covers operational effectiveness over a defined audit period

TISAX

"Data Protection" and "High Availability" labels, relevant to automotive and highly regulated industries

GDPR

Architecturally supported through data minimization and decentralized vault storage; reinforced by ISO 27701 certification

Enpass's zero-knowledge, decentralized architecture naturally reduces the regulatory surface area — because vault data is never held by Enpass, a broad class of data-residency and data-breach obligations simply do not apply to Enpass Hub.

For certification details, audit reports, and downloadable compliance resources, visit the Enpass Trust Center.

Self-Hosting Enpass Hub on Your Own Infrastructure

While Enpass Hub is hosted and managed by Enpass by default, and it is the recommended deployment, enterprises with specific compliance, data-residency, or network-isolation requirements may prefer to run Enpass Hub on their own infrastructure. In a self-hosted deployment, no Enpass Hub data leaves your environment at all.

Interested in self-hosting Enpass Hub? Self-hosting Enpass Hub is available on Enterprise plans. Contact Enpass Support to obtain the relevant setup documentation and configuration guidance for your environment.