As of December 11, 2025

We take the BSI’s published risk assessment seriously and would like to put the findings into transparent context. We understand that the current coverage may cause uncertainty. Below you will find a brief, factual explanation of what was assessed and what our next steps are.

What exactly was assessed

The published BSI profile relates exclusively to our private plans (FREE & Standard), which were tested in April 2025 using the mobile versions 1.1.63 (Android) and 2.1.2 (iOS). Business plans were not part of this consumer-protection assessment.

Business plans and Zero Knowledge

PassSecurium was designed from the ground up for use in companies. It was originally developed from our security platform SWISS SECURIUM (another business product in our portfolio). PassSecurium follows a strict security model: each customer instance is isolated, encrypted with an individual instance master password, and can be configured by the customer through central security policies, MFA, and device and access management. After the master password has been issued, we no longer have technical access to vault contents. This means the Zero-Knowledge concept has been ensured for our business plans from the very beginning.

Continuous security assessments and updates

PassSecurium is continuously maintained and further developed. Regular security assessments—both internal and external—are an integral part of our product development. Findings from these assessments, as well as the results of the BSI report, are consistently incorporated into our improvement measures. Since the assessment period, updates for the mobile apps have already been released that address several of the points mentioned in the report. We recommend that all users keep their app up to date at all times.

Master upgrade (version 3.0)

In parallel with ongoing product maintenance, we have been working on a master upgrade for over a year. The decision to fundamentally revise the cryptographic concept—with the goal of aligning it with today’s established standard—was made before the BSI assessment; the work continued in parallel during the study.

The master upgrade version 3.0 is already in use internally and with selected pilot customers. The global rollout is planned for January 2026.

Launch of the Master upgrade (version 3.x)

The master upgrade 3.x referenced in the BSI report is already in use internally and with several pilot customers. The global rollout is planned for January 2026.

What does this mean for you as a customer?

Business customers:

• Your business instances were not part of the BSI assessment and are not affected by the points mentioned. No action is required.
• On request, we can provide technical evidence and audit documentation.

Private plans (FREE & Standard):

• Please use the latest app version and plan to upgrade to version 3.x as soon as it is rolled out globally.
• We understand that the reporting may cause concern. If, as a private customer, you nevertheless decide not to continue using the solution, we will show understanding and will accept an extraordinary cancellation of your private subscription in this context.

Transparency & contact

We stand for clear and verifiable communication. If you have any questions, please contact your account representative or use our support request form.

Main source: BSI final report "Risk assessment of selected password managers"